Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Telnet With NAT

Hello,

As shown in pic that I attach, I configure NAT on R1. Now i want to deny telnet on R2 for qemu1. How can i do that?

16 REPLIES
New Member

Telnet With NAT

I run these commands:

                        1. access-list 1 deny 10.0.0.2 0.0.0.0

                         2. access-list 1 permit any

                         3. line vty 0 4

                         4. access-class 1 in.

But telnet remain permit on R2 because IP 10.0.0.2 doesn't go outside and request for 10.0.0.2 go out through 192.168.1.1.

Should i use IP 192.168.1.1 in place of 10.0.0.2 in access-list command. Then what will happen when on R1's interface s0/0/0 have not a static ip and I configures NAT on R1 by nat inside source list 10 interface s0/0/0 overload command.

Telnet With NAT

If you're using nat, you'll need to deny the outside address of R1, so your acl will look like:

1. access-list 1 deny host 192.168.1.1

2. access-list 1 permit any

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Telnet With NAT

Thanx Blakley.

I am agree with u but if s0/0/0 (R1) have a dynamic IP then what will we do???

Telnet With NAT

If the address changes, your acl won't match up and it's going to allow the traffic like you're seeing. The only other thing that you could do is strictly permit the addresses that you want, or if you know the block that the site could possibly get then block it by the whole block and not just your one host.

Let's say that they have a block of 128 addresses. You could do something like:

access-list 1 deny 5.5.5.0 0.0.0.127

access-list 1 permit any

The above would deny addresses 5.5.5.1 - 5.5.5.126. If you know that your router will fall in this range, then you should be ok.

HTH, John *** Please rate all useful posts ***

Telnet With NAT

Hi,

R1 is source NAT-ing all the packets from the host (10.0.0.2 ) , but the TCP/23 (telnet). This will mean that the telnet packets will get to R2 with the original source IP and you can apply the access-list with deny host IP.

====== R1

int f1/0

ip nat inside

int s0/0

ip nat outside

ip access-l ex PAT

deny tcp host 10.0.0.2 any eq 23

permit ip host 10.0.0.2 any

ip nat inside source list PAT fa1/0 over

======= R2

ip access-l ex VTY

deny host 10.0.0.2

permit any

line vty 0 4

access-class VTY in

Dan

Telnet With NAT

Dan,

That's a good way of doing it

John

HTH, John *** Please rate all useful posts ***
New Member

Telnet With NAT

Hey Dan,

Please share R1 and R2 Configuration. U said in R2 that deny host 10.0.0.2. Witch services should I deny there??

Telnet With NAT

I've posted the R2 configuration in my previous post :

ip access-l ex VTY

deny host 10.0.0.2

permit any

line vty 0 4

access-class VTY in

New Member

Telnet With NAT

I run this configuration on my router but deny host 10.0.0.2 command giving error.

Telnet With NAT

Yes the issue is that I created an extended access-list

no ip access-l ex VTY

ip access-l stan VTY

deny host 10.0.0.2

permit any

line vty 0 4

access-class VTY in

Dan

New Member

Telnet With NAT

In R1's configuration You used a command ip nat inside source list PAT fa1/0 over . I am confused why you used fa1/0 in this command because this interface is in local inside area according to picture.

Telnet With NAT

Hi ,

You are right, the interface should be the outside interface in this case s0/0. I wrote the config fast

Dan

New Member

Telnet With NAT

Its Ok Dan. I have an another doubt, I think When we apply deny tcp host 10.0.0.2 any eq 23 and  permit ip host 10.0.0.2 any command on R1, This router will not forward telnet packet outside through NAT (Am I Right). Means why we need R2's configuration (as you shown).

Telnet With NAT

No, not quite.

The deny statement is on PAT access-list.

PAT access-list is used to match the traffic that will be source NATed with the R1's outside interface.

This means that the traffic from 10.0.0.2 that has as a destination protocol telnet, will not be source NATed.

This means that this telnet traffic will be only switched from interface F0/1 to S0/0 without any change in the IP Header. This is why you can restrict the access on the R2 vtys based on the 10.0.0.2 address.

I hope I cleared some things.

Dan

New Member

Telnet With NAT

I configured only R1 according to your configuration and did nothing on R2. But its working properly.

Telnet With NAT

Yes. Because you already applied an access-list that denied the 10.0.0.2 , and applied it on the VTY

Your older post :

"

I run these commands:

                        1. access-list 1 deny 10.0.0.2 0.0.0.0

                         2. access-list 1 permit any

                         3. line vty 0 4

                         4. access-class 1 in.

"

Dan

652
Views
0
Helpful
16
Replies