09-04-2008 01:18 AM - edited 03-03-2019 11:24 PM
I have configured Router for Nating with overload(PAT). I have configute Router as follow
#IP NAT INSIDE SOURCE LIST 101 INTERFACE FASTETHENET 0/0 OVERLOAD
#ACCESS-LIST 101 PETMIT IP ANY ANY
Through this configuration I am able to access Intenet,telnet by LAN(Inside) but am Unable to telnet buy outside(Remote)insted of Im able to Ping my Router.When I remove Access-List permit Ip any any them I am able to telne my Router but I am Unable to access Intenet.Kindly Help me to resolve this ACL Problem.
Regards,
Dharmendra Kumar Singh
VIDEOCON,Kashipur
Solved! Go to Solution.
09-05-2008 10:49 PM
Hello Dharmendra,
what is your ip address on the fas0/1 inside interface.
let's suppose it is 10.10.20.1 255.255.254.0
I was suggesting you to use a different ACL like
access-list 75 permit 10.10.20.0 0.0.1.255
and then
no IP NAT Inside Source List 101 Int F0/0 Overload
ip nat inside source list 75 int f0/0 overload
This should solve the problem of not being able to telnet on the public ip address when NAT is configured.
Hope to help
Giuseppe
09-04-2008 01:25 AM
Hello Dharmendra,
I would suggest to use a more specific ACL with NAT.
access-list 75 permit a.a.a.a 0.0.b.b
where a.a.a.a is the subnet on the inside interface.
Be aware that allowing telnet from outside can be dangerous without security measures.
Hope to help
Giuseppe
09-04-2008 01:39 AM
Dear Sir,
We are using inside NATing. Do we need to use outsideNATing with ACL to enable remote telnet.
Pls advise.
Rgrds
Dharmendra
09-04-2008 01:46 AM
Hello Dharmendra,
usually the ACL used with NAT just lists the connected LAN subnets where you have the ip nat inside command.
With an ACL like 101 there's nothing let out of translation.This is part of the problem I suppose.
My understanding was that you would like to be able to telnet to the public ip address on the outside interface.
ip nat outside is useful if you want to provide access to some host in the inside interface like for example if you have a web server you want to be accessed by Internet if you just want to telnet to the public ip address I think you just need a more specific ACL.
Hope to help
Giuseppe
09-04-2008 02:53 AM
Can u please tell us what shall be that ACL.so that we can try with that.
Pls reply ASAP.
Regards
Dharmendra
09-04-2008 04:23 AM
If your LAN subnet were 192.168.1.0 /24, then you could use
access-list 1 permit 192.168.1.0 (you need to keep it specifc to your LAN traffic that you want to NAT)
When you use access-list 101 permit ip any any
It is trying to NAT ALL traffic. So the source address you are trying to telnet from (the outside) is being NATTED on its way back out & the reply traffic will never make it back.
09-04-2008 05:49 AM
Hello Gary,
I do think so that ACL 101 is the origin of the problem.
Best Regards
Giuseppe
09-05-2008 10:11 AM
Hello, could you provide me with the full configuration of the nating router and the full access list configuration also the nat pool so I can try find the cause please.
Regards,
Shane.
09-05-2008 07:48 PM
Dear Mr.Shane,
Pls find the Nating with overload(Pating) and access list configuraton and help me to resolve the problem
#Access-List 101 Permit IP Any Any
#IP NAT Inside Source List 101 Int F0/0 Overload
#Int F0/0
#IP NAT Outside
#Int F0/1
#IP NAT Inside
Regards,
Dharmendra Kumar
09-05-2008 10:49 PM
Hello Dharmendra,
what is your ip address on the fas0/1 inside interface.
let's suppose it is 10.10.20.1 255.255.254.0
I was suggesting you to use a different ACL like
access-list 75 permit 10.10.20.0 0.0.1.255
and then
no IP NAT Inside Source List 101 Int F0/0 Overload
ip nat inside source list 75 int f0/0 overload
This should solve the problem of not being able to telnet on the public ip address when NAT is configured.
Hope to help
Giuseppe
09-06-2008 02:21 AM
Thanks Mr.Giuseppe and All Member of This Forum
My Problem is Solved Now.
Regards,
Dharmendra Kumar Singh
09-06-2008 04:16 AM
Hello Dharmendra,
I'm happy we have been helpful.
I thought you could need a more detailed procedure to make the changes.
If you can, rate one of the post: I've seen you have checked the solved symbol.
Best Regards
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: