Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

I need to telent to a server inside the FW.

I have a 1720 running 12.1(5) ip/fw ipsec and am overloading nat to the outside interface. I have a vendor on the outside that needs to be able to telnet to a server on private address space 172.16.0.0. Do I need to use a static NAT trans to this server? Is there someway to forward this telenet request to the server? Not sure how to handle this.

4 REPLIES
Cisco Employee

Re: I need to telent to a server inside the FW.

YES..you need to use the static NAT mapping (actually its static PAT too) Lets say the outside ip address is 1.1.1.1 and inside network is 172.16.0.0 ( .1 to .4) then in order to telnet from outside to inside privet ip address, the PC which is on the internet has fo fire request for telnet not on the port 23 for 1.1.1.1 but on different ports statically. That ports are mapped to the port 23 on the inside ip addresses..like this

ip nat inside source static tcp 172.16.0.1 23 1.1.1.1 1023 extendable

ip nat inside source static tcp 172.16.0.2 23 1.1.1.1 2023 extendable

so forth

So if the router see the request for tcp port 1023 on ip address 1.1.1.1 (outside), it will conver that to port 23 on inside ip address 172.16.0.1.

But for that client side has to initiate the telnet request for port 1023 on ip 1.1.1.1 to get to 172.16.0.1..

Hope this helps.

New Member

Re: I need to telent to a server inside the FW.

You could do this in one of two ways. Staticly map the internal ip to an external ip and add telnet to your access list. Or you can port map tcp25 to the outside interface and map it to the internal host, but this will make it so you cannot telnet to the router. The static nat would be the best solution

New Member

Re: I need to telent to a server inside the FW.

Both of the posted solutions are good, but if the vendor was going to do this on a prolonged or regular basis, and since your IOS supports it, I would recommend a VPN solution. You can restrict what he is allowed to do and encrypt the traffic.

New Member

Re: I need to telent to a server inside the FW.

yes..pptp or ipsec would be good but if the host that is telnetting is win2k or xp then you are limited to pptp. good luck

107
Views
0
Helpful
4
Replies