Nating

Unanswered Question
Jan 21st, 2008
User Badges:

Currently our ISP assigned me 12.x.x.250/30 use as serial interface IP address and one LAN Block 16.x.x.144/28. From outside the network, I am able to ssh to 12.x.x.250 of my router, but I couldn't ssh to 16.x.x.145. Heres is my configure:


ip dhcp excluded-address 172.16.1.1 172.16.1.20

!

ip dhcp pool Sav

import all

network 172.16.1.0 255.255.255.0

default-router 172.16.1.1

domain-name x.com

dns-server 13.x.x.67 13.x.x.68

lease 0 8

!

interface Ethernet0/0

no ip address

shutdown

half-duplex

!

interface Serial0/0

description T1 To

ip address 12.x.x.250 255.255.255.252

ip nat outside

encapsulation ppp

service-module t1 clock source internal

service-module t1 timeslots 1-24

!

interface Ethernet0/1

description Connect To LAN

ip address 172.16.1.1 255.255.255.0

ip nat inside

full-duplex

!

ip nat inside source list 7 interface Serial0/0 overload

ip nat inside source static 172.16.1.2 16.x.x.145

ip nat inside source static 172.16.1.3 16.x.x.146

ip nat inside source static 172.16.1.4 16.x.x.147

ip nat inside source static 172.16.1.5 16.x.x.148

ip nat inside source static 172.16.1.6 16.x.x.149

ip nat inside source static 172.16.1.7 16.x.x.150

ip classless

ip route 0.0.0.0 0.0.0.0 12.x.x.249

no ip http server

!

access-list 7 remark Access to Internet

access-list 7 permit 172.16.1.0 0.0.0.255


!



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Richard Burts Mon, 01/21/2008 - 13:48
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ken


If I am understanding your question correctly you are attempting SSH to 16.x.x.145. I see in the config that 16.x.x.145 is translated to 172.16.1.2. So my first question is what device is 172.16.1.2, is it available on line (can you ping it from the router, and does it have access to network resources), and is it configured to accept SSH connections?


If we know these aspects of it, we may know better how to approach the solution to your issue.


HTH


Rick

kzhen Mon, 01/21/2008 - 13:56
User Badges:

Hi Rick,


It is a Cisco 3750 switch connected to router, and it accepts SSH and telnet. I can ping it from the switch from router.


Thanks,

Ken

Richard Burts Mon, 01/21/2008 - 14:21
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ken


Thanks for the clarification. Is there anything on the 3750 restricting access (any access lists anywhere or any access-class on the vty)?


If you run debug for ssh and then attempt SSH from outside does the switch see the connection attempt? (is the problem on the way in or on the way out?)


HTH


Rick

kzhen Tue, 01/22/2008 - 06:35
User Badges:

Hi Rick,


It works now.


Thank you!

Ken

Edison Ortiz Mon, 01/21/2008 - 14:18
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Ken,


I just duplicated your config here in a lab and it should work provided your ISP is advertising that block out to the internet.


Here is my NAT table:



Pro Inside global Inside local Outside local Outside global

icmp 16.1.1.145:1 172.16.1.2:1 12.1.1.249:1 12.1.1.249:1

icmp 16.1.1.145:2 172.16.1.2:2 12.1.1.249:2 12.1.1.249:2

icmp 16.1.1.145:3 172.16.1.2:3 12.1.1.249:3 12.1.1.249:3


___


ping 16.1.1.145


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 16.1.1.145, timeout is 2 seconds:

!!!!!




HTH,


__


Edison.

kzhen Tue, 01/22/2008 - 06:34
User Badges:

Hi Edison,


It works. There is an ACL issue.


Thanks,

Ken

Actions

This Discussion