Nating

Unanswered Question
Jan 21st, 2008

Currently our ISP assigned me 12.x.x.250/30 use as serial interface IP address and one LAN Block 16.x.x.144/28. From outside the network, I am able to ssh to 12.x.x.250 of my router, but I couldn't ssh to 16.x.x.145. Heres is my configure:

ip dhcp excluded-address 172.16.1.1 172.16.1.20

!

ip dhcp pool Sav

import all

network 172.16.1.0 255.255.255.0

default-router 172.16.1.1

domain-name x.com

dns-server 13.x.x.67 13.x.x.68

lease 0 8

!

interface Ethernet0/0

no ip address

shutdown

half-duplex

!

interface Serial0/0

description T1 To

ip address 12.x.x.250 255.255.255.252

ip nat outside

encapsulation ppp

service-module t1 clock source internal

service-module t1 timeslots 1-24

!

interface Ethernet0/1

description Connect To LAN

ip address 172.16.1.1 255.255.255.0

ip nat inside

full-duplex

!

ip nat inside source list 7 interface Serial0/0 overload

ip nat inside source static 172.16.1.2 16.x.x.145

ip nat inside source static 172.16.1.3 16.x.x.146

ip nat inside source static 172.16.1.4 16.x.x.147

ip nat inside source static 172.16.1.5 16.x.x.148

ip nat inside source static 172.16.1.6 16.x.x.149

ip nat inside source static 172.16.1.7 16.x.x.150

ip classless

ip route 0.0.0.0 0.0.0.0 12.x.x.249

no ip http server

!

access-list 7 remark Access to Internet

access-list 7 permit 172.16.1.0 0.0.0.255

!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Richard Burts Mon, 01/21/2008 - 13:48

Ken

If I am understanding your question correctly you are attempting SSH to 16.x.x.145. I see in the config that 16.x.x.145 is translated to 172.16.1.2. So my first question is what device is 172.16.1.2, is it available on line (can you ping it from the router, and does it have access to network resources), and is it configured to accept SSH connections?

If we know these aspects of it, we may know better how to approach the solution to your issue.

HTH

Rick

kzhen Mon, 01/21/2008 - 13:56

Hi Rick,

It is a Cisco 3750 switch connected to router, and it accepts SSH and telnet. I can ping it from the switch from router.

Thanks,

Ken

Richard Burts Mon, 01/21/2008 - 14:21

Ken

Thanks for the clarification. Is there anything on the 3750 restricting access (any access lists anywhere or any access-class on the vty)?

If you run debug for ssh and then attempt SSH from outside does the switch see the connection attempt? (is the problem on the way in or on the way out?)

HTH

Rick

Edison Ortiz Mon, 01/21/2008 - 14:18

Ken,

I just duplicated your config here in a lab and it should work provided your ISP is advertising that block out to the internet.

Here is my NAT table:

Pro Inside global Inside local Outside local Outside global

icmp 16.1.1.145:1 172.16.1.2:1 12.1.1.249:1 12.1.1.249:1

icmp 16.1.1.145:2 172.16.1.2:2 12.1.1.249:2 12.1.1.249:2

icmp 16.1.1.145:3 172.16.1.2:3 12.1.1.249:3 12.1.1.249:3

___

ping 16.1.1.145

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 16.1.1.145, timeout is 2 seconds:

!!!!!

HTH,

__

Edison.

kzhen Tue, 01/22/2008 - 06:34

Hi Edison,

It works. There is an ACL issue.

Thanks,

Ken

Actions

This Discussion