01-14-2003 11:07 PM - edited 03-09-2019 01:41 AM
Hi all!
e0/0 e0/1
--------------- Cisco Router -------------
2.0.0.0/30 .1 192.168.1.0
ip nat inside source list 101 int e0/0 overload
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip any any
int e0/0
ip nat outside
int e0/1
ip nat inside
I.e. do *no* NAT for OurLAN(192.168.1.0) to OtherLANs(192.168.0.0) as IPSec
tunnel is used between sites and do NAT to Internet.
After that I can't get to Router's e0/0 (2.0.0.1) from 2.0.0.x via telnet. Packet goes
to telnet server ok, but response is NATed (2.0.0.1:23 -> 2.0.0.1:1) /* yes,
port 1 ! */ Telnet client sends RST and reconnects.
The questions are: why is "ip nat inside" ignored ??? (The response packet
goes from the *Router itself*, rather than the inside network. Why is the packet
NATed ??? What does "ip nat inside" really do ???)
Thanks,
Oleg Tipisov,
REDCENTER,
Moscow
01-15-2003 06:43 PM
I just set this up in the lab and it worked fine, plus I've done it for many customers and it has always worked. Are you saying that as soon as you put "ip nat outside" on e0/0 you cna no longer telnet to that interface? If you take the command out telnet starts working again?
What version of code are you running on this router? Can you send the full config, make sure to x.x.x.x out any public IP addresses?
01-16-2003 03:06 AM
It seems that NAT is processing packets which cross the router from inside to
outside *and* locally generated packets that *match the ACL*. It doesn't matter
whether "ip nat inside" is present or not.
I have no idea is this a bug or feature.
If I rewrite the ACL:
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.1.0. 0.0.0.255 any
everything is ok and I can telnet to the outside interface.
Oleg Tipisov,
REDCENTER,
Moscow
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide