cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
874
Views
0
Helpful
11
Replies

Due to ACL Unable to Remote telnet my router

dksingh.info
Level 1
Level 1

I have configured Router for Nating with overload(PAT). I have configute Router as follow

#IP NAT INSIDE SOURCE LIST 101 INTERFACE FASTETHENET 0/0 OVERLOAD

#ACCESS-LIST 101 PETMIT IP ANY ANY

Through this configuration I am able to access Intenet,telnet by LAN(Inside) but am Unable to telnet buy outside(Remote)insted of Im able to Ping my Router.When I remove Access-List permit Ip any any them I am able to telne my Router but I am Unable to access Intenet.Kindly Help me to resolve this ACL Problem.

Regards,

Dharmendra Kumar Singh

VIDEOCON,Kashipur

1 Accepted Solution

Accepted Solutions

Hello Dharmendra,

what is your ip address on the fas0/1 inside interface.

let's suppose it is 10.10.20.1 255.255.254.0

I was suggesting you to use a different ACL like

access-list 75 permit 10.10.20.0 0.0.1.255

and then

no IP NAT Inside Source List 101 Int F0/0 Overload

ip nat inside source list 75 int f0/0 overload

This should solve the problem of not being able to telnet on the public ip address when NAT is configured.

Hope to help

Giuseppe

View solution in original post

11 Replies 11

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Dharmendra,

I would suggest to use a more specific ACL with NAT.

access-list 75 permit a.a.a.a 0.0.b.b

where a.a.a.a is the subnet on the inside interface.

Be aware that allowing telnet from outside can be dangerous without security measures.

Hope to help

Giuseppe

Dear Sir,

We are using inside NATing. Do we need to use outsideNATing with ACL to enable remote telnet.

Pls advise.

Rgrds

Dharmendra

Hello Dharmendra,

usually the ACL used with NAT just lists the connected LAN subnets where you have the ip nat inside command.

With an ACL like 101 there's nothing let out of translation.This is part of the problem I suppose.

My understanding was that you would like to be able to telnet to the public ip address on the outside interface.

ip nat outside is useful if you want to provide access to some host in the inside interface like for example if you have a web server you want to be accessed by Internet if you just want to telnet to the public ip address I think you just need a more specific ACL.

Hope to help

Giuseppe

Can u please tell us what shall be that ACL.so that we can try with that.

Pls reply ASAP.

Regards

Dharmendra

If your LAN subnet were 192.168.1.0 /24, then you could use

access-list 1 permit 192.168.1.0 (you need to keep it specifc to your LAN traffic that you want to NAT)

When you use access-list 101 permit ip any any

It is trying to NAT ALL traffic. So the source address you are trying to telnet from (the outside) is being NATTED on its way back out & the reply traffic will never make it back.

Hello Gary,

I do think so that ACL 101 is the origin of the problem.

Best Regards

Giuseppe

shane.kearney
Level 1
Level 1

Hello, could you provide me with the full configuration of the nating router and the full access list configuration also the nat pool so I can try find the cause please.

Regards,

Shane.

Dear Mr.Shane,

Pls find the Nating with overload(Pating) and access list configuraton and help me to resolve the problem

#Access-List 101 Permit IP Any Any

#IP NAT Inside Source List 101 Int F0/0 Overload

#Int F0/0

#IP NAT Outside

#Int F0/1

#IP NAT Inside

Regards,

Dharmendra Kumar

Hello Dharmendra,

what is your ip address on the fas0/1 inside interface.

let's suppose it is 10.10.20.1 255.255.254.0

I was suggesting you to use a different ACL like

access-list 75 permit 10.10.20.0 0.0.1.255

and then

no IP NAT Inside Source List 101 Int F0/0 Overload

ip nat inside source list 75 int f0/0 overload

This should solve the problem of not being able to telnet on the public ip address when NAT is configured.

Hope to help

Giuseppe

Thanks Mr.Giuseppe and All Member of This Forum

My Problem is Solved Now.

Regards,

Dharmendra Kumar Singh

Hello Dharmendra,

I'm happy we have been helpful.

I thought you could need a more detailed procedure to make the changes.

If you can, rate one of the post: I've seen you have checked the solved symbol.

Best Regards

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco