cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2782
Views
5
Helpful
16
Replies

Telnet With NAT

Harmeet Singh
Level 1
Level 1

Hello,

As shown in pic that I attach, I configure NAT on R1. Now i want to deny telnet on R2 for qemu1. How can i do that?

16 Replies 16

Harmeet Singh
Level 1
Level 1

I run these commands:

                        1. access-list 1 deny 10.0.0.2 0.0.0.0

                         2. access-list 1 permit any

                         3. line vty 0 4

                         4. access-class 1 in.

But telnet remain permit on R2 because IP 10.0.0.2 doesn't go outside and request for 10.0.0.2 go out through 192.168.1.1.

Should i use IP 192.168.1.1 in place of 10.0.0.2 in access-list command. Then what will happen when on R1's interface s0/0/0 have not a static ip and I configures NAT on R1 by nat inside source list 10 interface s0/0/0 overload command.

If you're using nat, you'll need to deny the outside address of R1, so your acl will look like:

1. access-list 1 deny host 192.168.1.1

2. access-list 1 permit any

HTH,

John

HTH, John *** Please rate all useful posts ***

Thanx Blakley.

I am agree with u but if s0/0/0 (R1) have a dynamic IP then what will we do???

If the address changes, your acl won't match up and it's going to allow the traffic like you're seeing. The only other thing that you could do is strictly permit the addresses that you want, or if you know the block that the site could possibly get then block it by the whole block and not just your one host.

Let's say that they have a block of 128 addresses. You could do something like:

access-list 1 deny 5.5.5.0 0.0.0.127

access-list 1 permit any

The above would deny addresses 5.5.5.1 - 5.5.5.126. If you know that your router will fall in this range, then you should be ok.

HTH, John *** Please rate all useful posts ***

Hi,

R1 is source NAT-ing all the packets from the host (10.0.0.2 ) , but the TCP/23 (telnet). This will mean that the telnet packets will get to R2 with the original source IP and you can apply the access-list with deny host IP.

====== R1

int f1/0

ip nat inside

int s0/0

ip nat outside

ip access-l ex PAT

deny tcp host 10.0.0.2 any eq 23

permit ip host 10.0.0.2 any

ip nat inside source list PAT fa1/0 over

======= R2

ip access-l ex VTY

deny host 10.0.0.2

permit any

line vty 0 4

access-class VTY in

Dan

Dan,

That's a good way of doing it

John

HTH, John *** Please rate all useful posts ***

Hey Dan,

Please share R1 and R2 Configuration. U said in R2 that deny host 10.0.0.2. Witch services should I deny there??

I've posted the R2 configuration in my previous post :

ip access-l ex VTY

deny host 10.0.0.2

permit any

line vty 0 4

access-class VTY in

I run this configuration on my router but deny host 10.0.0.2 command giving error.

Yes the issue is that I created an extended access-list

no ip access-l ex VTY

ip access-l stan VTY

deny host 10.0.0.2

permit any

line vty 0 4

access-class VTY in

Dan

In R1's configuration You used a command ip nat inside source list PAT fa1/0 over . I am confused why you used fa1/0 in this command because this interface is in local inside area according to picture.

Hi ,

You are right, the interface should be the outside interface in this case s0/0. I wrote the config fast

Dan

Its Ok Dan. I have an another doubt, I think When we apply deny tcp host 10.0.0.2 any eq 23 and  permit ip host 10.0.0.2 any command on R1, This router will not forward telnet packet outside through NAT (Am I Right). Means why we need R2's configuration (as you shown).

No, not quite.

The deny statement is on PAT access-list.

PAT access-list is used to match the traffic that will be source NATed with the R1's outside interface.

This means that the traffic from 10.0.0.2 that has as a destination protocol telnet, will not be source NATed.

This means that this telnet traffic will be only switched from interface F0/1 to S0/0 without any change in the IP Header. This is why you can restrict the access on the R2 vtys based on the 10.0.0.2 address.

I hope I cleared some things.

Dan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco