Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSH not working with dynamic nat

A UNIX m/c only allows only SSH connection. To reach this server we need to source NAT. If we do static NAT then we are able to SSH into the UNIX server. But if we use dynamic NAT then we are not able to SSH to the same server. Please suggest!!

3 REPLIES

Re: SSH not working with dynamic nat

Hi

What do you mean by dynami nat here ?? is it done with a set of ip pool ? or simple pat ?

eitherways u need to have the public ip binded to the unix servers local ip otherwise you wont be able to ssh onto the server.

regds

Gold

Re: SSH not working with dynamic nat

please excuse me for misunderstanding. i believe the unix box is behind a pix and you were trying to access it from the outside via ssh. if so, nat or port forwarding is required, and it depends on the number of public ip you've got.

with one public ip,

static (inside,outside) tcp interface 22 22 netmask 255.255.255.255

access-list inbound permit tcp any interface outside eq 22

access-group inbound in interface outside

with multiple public ip,

static (inside,outside) netmask 255.255.255.255

access-list inbound permit tcp any eq 22

access-group inbound in interface outside

the catch with port forwarding (i.e. the config with only one public ip) is that you won't be able to ssh to the pix anymore, as all traffic destined for the pix public interface with port 22 will be forwarded to the unix box.

New Member

Re: SSH not working with dynamic nat

I have been trying this in a test lab. I am using a router.

UNIX server is behind interface e1. And all the clients are on interface e 0.

Following is the configuration that doesn't work for SSH only.

interface e 0

ip address 10.10.10.254 255.255.255.0

ip nat inside

interface e 1

ip address 172.16.130.1 255.255.255.0

ip nat outside

ip nat inside source list 1 pool test

ip nat pool test 172.16.131.2 172.16.131.200 netmask 255.255.255.0

access-list 1 permit 10.10.10.0 0.0.0.255

The following NAT configuration works for SSH:

interface e 0

ip address 10.10.10.254 255.255.255.0

ip nat inside

interface e 1

ip address 172.16.130.1 255.255.255.0

ip nat outside

ip nat inside source static 10.10.10.1 172.16.131.2

I have to do this statically for all the inside IPs.

Also I am not specifically concerned for SSH traffic. As I have to do it for all the traffic. But for some reason only SSH doesn't work.

150
Views
0
Helpful
3
Replies
CreatePlease to create content