Telnet issues with NAT

mukundh86 · ‎02-22-2012

I have a Cisco 2650 with a simple config as follows:

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname MaVI_Test

!

boot-start-marker

boot-end-marker

!

no network-clock-participate slot 1

no network-clock-participate wic 0

no aaa new-model

ip subnet-zero

ip cef

!

ip audit po max-events 100

!

interface FastEthernet0/0

ip address 192.168.50.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface Serial0/0

no ip address

shutdown

no fair-queue

!

interface FastEthernet1/0

ip address 1.1.1.2 255.255.255.248

ip nat outside

duplex auto

speed auto

!

ip nat inside source route-map internet interface FastEthernet1/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 1.1.1.1

!

ip http server

no ip http secure-server

!

ip access-list extended internet

permit ip any any

!

route-map internet permit 10

match ip address internet

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

password vinakom

login

!

end

With this config, I cannot telnet to 1.1.1.2 from outside. But when I change the access-list internet as follows:

ip access-list extended internet

no permit ip any any

permit ip 192.168.50.0 0.0.0.255 any

telnet to 1.1.1.2 works. Any reason of this behaviour. I guess it is related to NAT but cant figure out how.

Thanks

Mukundh

Reza Sharifi · ‎02-22-2012

Hi,

That is the correct behavior. You should always use specific address prefix and the correct mask

(in this case 92.168.50.0 0.0.0.255) and not any any.

For more info refere to this doc:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml

HTH

mukundh86 · ‎02-22-2012

Hi Reza,

I actually saw this doc. Can you point me in this doc where there is an explanation as to why the specific address prefix should be used. I was unable to find it.

Mukundh

Reza Sharifi · ‎02-22-2012

Hi,

It is long Q&A

here is that section:

Q. Can a single NAT-enabled router allow some users to use NAT and other users on the same Ethernet interface to continue to use their own IP addresses?

A. Yes. This can be accomplished through the use of an access list describing the set of hosts or networks that require NAT. All sessions on the same host will be either translated or will pass through the router and not be translated.
Access lists, extended access lists, and route maps can be used to define rules by which IP devices get translated. The network address and appropriate subnet mask should always be specified. The keyword any should not be used in place of the network...NAT FAQ, Best Practices and Deployment Guide for more detail). With Static NAT configuration, when packet doesn’t matched with any STATIC rule configuration, packet will be sent through without any translation.

HTH