11-20-2012 06:27 AM - edited 03-04-2019 06:11 PM
so I have my router that's connected to outside world (internet) and it's also connected to my company.
I want to create a nat rule that basically says when I go to my company don't nat but when I go on the internet nat.
now I do this with this statement
ip nat inside source list 110 interface FastEthernet4 overload
access-list 110 deny ip 10.181.20.80 0.0.0.7 10.0.0.0 0.255.255.255
access-list 110 permit ip 10.181.20.80 0.0.0.7 any
I want to do the same thing but this time with this rule.
ip nat inside source static tcp 10.181.20.84 22 interface FastEthernet4 2222
this rule doen't work from the company to my router but it works from the internet to my router...
I just can't find the way to change this ip nat rule and use my same 110 ACL.
basically with this last rule when I try to connect to my router from the company it tries to nat it back to the ip of the router interface ... it should not nat when I go from the company but nat when I connect from the outside internet.
ideas? thanks.
11-20-2012 06:39 AM
You wouldn't be able to ssh into port 2222 from the inside because the service is actually listening on port 22. From the inside, you'd need to ssh to port 22 and from the outside ssh to 2222. Natting doesn't occur until you cross the inside natted interface to the outside natted interface, so in general you shouldn't need a "deny" nat rule unless you're using this over a vpn.
HTH,
John
11-20-2012 06:43 AM
I am using it over a vpn.
so from outside on the internet I hit my router 2222 this takes me to my linux box port 22. its natted and all works well.
now from company/site to site vpn I try to ssh port 22 directly on the linux box and it doesn't work and I'm 99.9% sure it's because of that nat in my first email... I need to somehow change this so it nats to the internet but does not nat to the vpn site to site tunnel.
11-20-2012 07:08 AM
Okay,
Are you trying to ssh from the other side of the vpn? For example:
you ---> router <-----> vpn <-----> router (nat) ----> device running ssh?
11-20-2012 07:32 AM
from work to home router to my linux box it doesn't work
from internet to my router to my linux box works.
this is the nat statement that takes me to the linux box.
ip nat inside source static tcp 10.181.20.84 22 interface FastEthernet4 2222
this nat is on my 881 router in my house.
this says that anything hitting the outside interface on port 2222 will take my to my linux machine behind the router on port 22.
the problem is that when I come from work network which is on 10.0.0.0/8 it doesn't work. there is a site to site vpn between office and my house.
so all I need to know is if there is a way to do that nat statement in a way that I can say nat only to the internet but not to the office just like this one,
ip nat inside source list 110 interface FastEthernet4 overload
access-list 110 deny ip 10.181.20.80 0.0.0.7 10.0.0.0 0.255.255.255
access-list 110 permit ip 10.181.20.80 0.0.0.7 any
this works perfect but not my other nat statement.
11-20-2012 09:30 AM
I labbed this up and I see what you're seeing. The problem is that the ssh session on port 22 is allowed over the tunnel, but when debugging nat, the router is redirecting all traffic to port 2222. I was able to get around this by the following:
ip nat pool SSH 10.181.20.84 10.181.20.84 prefix 24 type rotary
ip nat inside destination list 105 pool SSH
access-list 105 permit tcp any any eq 22
Give this a shot and let me know...
HTH,
John
**** Please rate useful posts ****
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide