I have a 1720 running 12.1(5) ip/fw ipsec and am overloading nat to the outside interface. I have a vendor on the outside that needs to be able to telnet to a server on private address space 172.16.0.0. Do I need to use a static NAT trans to this server? Is there someway to forward this telenet request to the server? Not sure how to handle this.
YES..you need to use the static NAT mapping (actually its static PAT too) Lets say the outside ip address is 188.8.131.52 and inside network is 172.16.0.0 ( .1 to .4) then in order to telnet from outside to inside privet ip address, the PC which is on the internet has fo fire request for telnet not on the port 23 for 184.108.40.206 but on different ports statically. That ports are mapped to the port 23 on the inside ip addresses..like this
You could do this in one of two ways. Staticly map the internal ip to an external ip and add telnet to your access list. Or you can port map tcp25 to the outside interface and map it to the internal host, but this will make it so you cannot telnet to the router. The static nat would be the best solution
Both of the posted solutions are good, but if the vendor was going to do this on a prolonged or regular basis, and since your IOS supports it, I would recommend a VPN solution. You can restrict what he is allowed to do and encrypt the traffic.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...