06-29-2007 08:42 PM - edited 03-09-2019 06:18 PM
Hi Sir,
After I configured NAT overload as follows:
!
int f 0/0
desc *** Inside Interface - Private Address ***
ip address 10.10.10.1 255.255.255.0
ip nat inside
!
int s 0/0
desc *** Outside Interface - Public Address ***
ip address 1.1.1.1 255.255.255.252
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 1.1.1.2
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
!
ip nat inside source list 100 interface s0/0 overload
!
No external host can telnet to its IP address 1.1.1.1. It seems like the router changes the destination TCP port to some other port numbers. Is this normal behavior of NAT overload?
To work around the issue, I added the following static nat command:
!
ip nat inside source static tcp 1.1.1.1 23 interface s0/0 23
!
It seems to work, i.e. the router PATs internal source addresses to 1.1.1.1 like usual, and also external host can now telnet to IP address 1.1.1.1.
Can anyone verify this is the correct workaround?
Thank you.
B.Rgds,
Lim TS
07-02-2007 01:39 AM
Hi Lim
Yes you have configured it correctly. When you do nat overload outgoing for inside addresses if you want to access internal services (or in your case the router interface) from outside hosts you need a port translation setup.
Jon
08-02-2007 07:07 AM
I'm having the same problem (cannot connect through telnet nor SSH) and found this thread, but the line confuses me a little:
ip nat inside source static tcp 1.1.1.1 23 interface s0/0 23
1.1.1.1 is the internal or external IP of the router?
My current line is:
ip nat inside source static tcp 192.168.1.1 23 interface Dialer0 23
Should I change it to:
ip nat inside source static tcp Dialer0 23 Dialer0 23
Sorry, I'm at the office and the router is at home, I can't grab a full configuration atm. I don't currently have other access lists outside of the:
access-list 1 permit 192.168.1.0 0.0.0.255
08-02-2007 04:10 PM
Use a loopback address. Then do the static nt overload command for it such as:
ip nat inside source static tcp
Then from the outside you will be able to telnet and it is somewhat more secure too.
08-02-2007 06:51 PM
Hi,
In my example scenario, the router is connected to a fixed-IP ADSL line. I should have used interface Fas0/1 for the outside interface in my illustration, instead of int S0/0.
Anyway, the ISP assigns only one public IP address to my router, i.e. 1.1.1.1/30.
Your method uses the loopback IP as the inside local IP address in the static nat statement. I suppose your loopback IP should be private address.
My method uses the public IP itself as the inside local IP address in the static nat statement. Can you kindly explain why your way is somewhat more secure? I somehow not able to figure it out.
Secondly, the "overload" keyword is not available at the end of the command.
I do have a private loopback IP address on the router because I'm configuring DMVPN.
Thank you.
B.Rgds,
Lim TS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide