Due to ACL Unable to Remote telnet my router

Answered Question
Sep 4th, 2008
User Badges:

I have configured Router for Nating with overload(PAT). I have configute Router as follow


#IP NAT INSIDE SOURCE LIST 101 INTERFACE FASTETHENET 0/0 OVERLOAD


#ACCESS-LIST 101 PETMIT IP ANY ANY



Through this configuration I am able to access Intenet,telnet by LAN(Inside) but am Unable to telnet buy outside(Remote)insted of Im able to Ping my Router.When I remove Access-List permit Ip any any them I am able to telne my Router but I am Unable to access Intenet.Kindly Help me to resolve this ACL Problem.


Regards,

Dharmendra Kumar Singh

VIDEOCON,Kashipur



Correct Answer by Giuseppe Larosa about 8 years 6 months ago

Hello Dharmendra,


what is your ip address on the fas0/1 inside interface.


let's suppose it is 10.10.20.1 255.255.254.0


I was suggesting you to use a different ACL like


access-list 75 permit 10.10.20.0 0.0.1.255

and then

no IP NAT Inside Source List 101 Int F0/0 Overload

ip nat inside source list 75 int f0/0 overload


This should solve the problem of not being able to telnet on the public ip address when NAT is configured.



Hope to help

Giuseppe


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Thu, 09/04/2008 - 01:25
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Dharmendra,

I would suggest to use a more specific ACL with NAT.


access-list 75 permit a.a.a.a 0.0.b.b


where a.a.a.a is the subnet on the inside interface.



Be aware that allowing telnet from outside can be dangerous without security measures.


Hope to help

Giuseppe

dksingh.info Thu, 09/04/2008 - 01:39
User Badges:

Dear Sir,


We are using inside NATing. Do we need to use outsideNATing with ACL to enable remote telnet.



Pls advise.


Rgrds


Dharmendra

Giuseppe Larosa Thu, 09/04/2008 - 01:46
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Dharmendra,

usually the ACL used with NAT just lists the connected LAN subnets where you have the ip nat inside command.

With an ACL like 101 there's nothing let out of translation.This is part of the problem I suppose.

My understanding was that you would like to be able to telnet to the public ip address on the outside interface.

ip nat outside is useful if you want to provide access to some host in the inside interface like for example if you have a web server you want to be accessed by Internet if you just want to telnet to the public ip address I think you just need a more specific ACL.


Hope to help

Giuseppe


dksingh.info Thu, 09/04/2008 - 02:53
User Badges:

Can u please tell us what shall be that ACL.so that we can try with that.


Pls reply ASAP.


Regards


Dharmendra

If your LAN subnet were 192.168.1.0 /24, then you could use


access-list 1 permit 192.168.1.0 (you need to keep it specifc to your LAN traffic that you want to NAT)



When you use access-list 101 permit ip any any


It is trying to NAT ALL traffic. So the source address you are trying to telnet from (the outside) is being NATTED on its way back out & the reply traffic will never make it back.

Giuseppe Larosa Thu, 09/04/2008 - 05:49
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Gary,

I do think so that ACL 101 is the origin of the problem.



Best Regards

Giuseppe

shane.kearney Fri, 09/05/2008 - 10:11
User Badges:

Hello, could you provide me with the full configuration of the nating router and the full access list configuration also the nat pool so I can try find the cause please.

Regards,

Shane.

dksingh.info Fri, 09/05/2008 - 19:48
User Badges:

Dear Mr.Shane,

Pls find the Nating with overload(Pating) and access list configuraton and help me to resolve the problem


#Access-List 101 Permit IP Any Any

#IP NAT Inside Source List 101 Int F0/0 Overload

#Int F0/0

#IP NAT Outside

#Int F0/1

#IP NAT Inside



Regards,


Dharmendra Kumar

Correct Answer
Giuseppe Larosa Fri, 09/05/2008 - 22:49
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Dharmendra,


what is your ip address on the fas0/1 inside interface.


let's suppose it is 10.10.20.1 255.255.254.0


I was suggesting you to use a different ACL like


access-list 75 permit 10.10.20.0 0.0.1.255

and then

no IP NAT Inside Source List 101 Int F0/0 Overload

ip nat inside source list 75 int f0/0 overload


This should solve the problem of not being able to telnet on the public ip address when NAT is configured.



Hope to help

Giuseppe


dksingh.info Sat, 09/06/2008 - 02:21
User Badges:

Thanks Mr.Giuseppe and All Member of This Forum


My Problem is Solved Now.


Regards,


Dharmendra Kumar Singh


Giuseppe Larosa Sat, 09/06/2008 - 04:16
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Dharmendra,

I'm happy we have been helpful.

I thought you could need a more detailed procedure to make the changes.


If you can, rate one of the post: I've seen you have checked the solved symbol.



Best Regards

Giuseppe

Actions

This Discussion