Due to ACL Unable to Remote telnet my router

Answered Question
Sep 4th, 2008

I have configured Router for Nating with overload(PAT). I have configute Router as follow

#IP NAT INSIDE SOURCE LIST 101 INTERFACE FASTETHENET 0/0 OVERLOAD

#ACCESS-LIST 101 PETMIT IP ANY ANY

Through this configuration I am able to access Intenet,telnet by LAN(Inside) but am Unable to telnet buy outside(Remote)insted of Im able to Ping my Router.When I remove Access-List permit Ip any any them I am able to telne my Router but I am Unable to access Intenet.Kindly Help me to resolve this ACL Problem.

Regards,

Dharmendra Kumar Singh

VIDEOCON,Kashipur

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 8 years 2 months ago

Hello Dharmendra,

what is your ip address on the fas0/1 inside interface.

let's suppose it is 10.10.20.1 255.255.254.0

I was suggesting you to use a different ACL like

access-list 75 permit 10.10.20.0 0.0.1.255

and then

no IP NAT Inside Source List 101 Int F0/0 Overload

ip nat inside source list 75 int f0/0 overload

This should solve the problem of not being able to telnet on the public ip address when NAT is configured.

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Thu, 09/04/2008 - 01:25

Hello Dharmendra,

I would suggest to use a more specific ACL with NAT.

access-list 75 permit a.a.a.a 0.0.b.b

where a.a.a.a is the subnet on the inside interface.

Be aware that allowing telnet from outside can be dangerous without security measures.

Hope to help

Giuseppe

dksingh.info Thu, 09/04/2008 - 01:39

Dear Sir,

We are using inside NATing. Do we need to use outsideNATing with ACL to enable remote telnet.

Pls advise.

Rgrds

Dharmendra

Giuseppe Larosa Thu, 09/04/2008 - 01:46

Hello Dharmendra,

usually the ACL used with NAT just lists the connected LAN subnets where you have the ip nat inside command.

With an ACL like 101 there's nothing let out of translation.This is part of the problem I suppose.

My understanding was that you would like to be able to telnet to the public ip address on the outside interface.

ip nat outside is useful if you want to provide access to some host in the inside interface like for example if you have a web server you want to be accessed by Internet if you just want to telnet to the public ip address I think you just need a more specific ACL.

Hope to help

Giuseppe

dksingh.info Thu, 09/04/2008 - 02:53

Can u please tell us what shall be that ACL.so that we can try with that.

Pls reply ASAP.

Regards

Dharmendra

If your LAN subnet were 192.168.1.0 /24, then you could use

access-list 1 permit 192.168.1.0 (you need to keep it specifc to your LAN traffic that you want to NAT)

When you use access-list 101 permit ip any any

It is trying to NAT ALL traffic. So the source address you are trying to telnet from (the outside) is being NATTED on its way back out & the reply traffic will never make it back.

Giuseppe Larosa Thu, 09/04/2008 - 05:49

Hello Gary,

I do think so that ACL 101 is the origin of the problem.

Best Regards

Giuseppe

shane.kearney Fri, 09/05/2008 - 10:11

Hello, could you provide me with the full configuration of the nating router and the full access list configuration also the nat pool so I can try find the cause please.

Regards,

Shane.

dksingh.info Fri, 09/05/2008 - 19:48

Dear Mr.Shane,

Pls find the Nating with overload(Pating) and access list configuraton and help me to resolve the problem

#Access-List 101 Permit IP Any Any

#IP NAT Inside Source List 101 Int F0/0 Overload

#Int F0/0

#IP NAT Outside

#Int F0/1

#IP NAT Inside

Regards,

Dharmendra Kumar

Correct Answer
Giuseppe Larosa Fri, 09/05/2008 - 22:49

Hello Dharmendra,

what is your ip address on the fas0/1 inside interface.

let's suppose it is 10.10.20.1 255.255.254.0

I was suggesting you to use a different ACL like

access-list 75 permit 10.10.20.0 0.0.1.255

and then

no IP NAT Inside Source List 101 Int F0/0 Overload

ip nat inside source list 75 int f0/0 overload

This should solve the problem of not being able to telnet on the public ip address when NAT is configured.

Hope to help

Giuseppe

dksingh.info Sat, 09/06/2008 - 02:21

Thanks Mr.Giuseppe and All Member of This Forum

My Problem is Solved Now.

Regards,

Dharmendra Kumar Singh

Giuseppe Larosa Sat, 09/06/2008 - 04:16

Hello Dharmendra,

I'm happy we have been helpful.

I thought you could need a more detailed procedure to make the changes.

If you can, rate one of the post: I've seen you have checked the solved symbol.

Best Regards

Giuseppe

Actions

This Discussion