https://community.cisco.com/t5/network-security/nat-on-a-stick-disabling-ssh/m-p/2954789#M148754 <P>Yes, from the local network I can still ping the interface after enabling <SPAN style="text-decoration: underline;">nat outside</SPAN> on it but ports 22/23 instantly close</P> Sun, 06 Nov 2016 23:43:10 GMT gpettydpmg 2016-11-06T23:43:10Z https://community.cisco.com/t5/network-security/nat-on-a-stick-disabling-ssh/m-p/2954787#M148752 <P>I've got a standard single interface router hosting a number of ipsec tunnels.&nbsp; I'm attempting to add a loopback interface and enable nat outside on the physical interface.&nbsp; The second I enable ip nat outside I lose ssh and telnet access from both inside and outside.&nbsp; This being a azure csr router I have no console access to it and have to reboot it each time to get it back.</P> <P></P> <P>Is there some reason nat outside is blocking access?&nbsp; I intend on using route maps to nat some specific tunnel traffic but simply enabling nat kicks me off entirely.</P> <P></P> <P>interface Loopback1<BR />&nbsp;ip address 11.1.1.1 255.255.255.255<BR />&nbsp;ip nat inside<BR /><BR />!<BR />interface FastEthernet0/0<BR />&nbsp;ip address 172.31.3.4 255.255.255.0<BR />&nbsp;ip nat outside<BR />&nbsp;duplex auto<BR />&nbsp;speed auto<BR />&nbsp;crypto map clientvpn<BR />!<BR /><BR /><BR />ip nat inside source list NAT interface FastEthernet0/0 overload<BR /><BR />!<BR />ip access-list extended NAT<BR /><BR />&nbsp;permit ip 172.31.0.0&nbsp;&nbsp; 0.0.255.255 any</P> Tue, 12 Mar 2019 08:29:54 GMT https://community.cisco.com/t5/network-security/nat-on-a-stick-disabling-ssh/m-p/2954787#M148752 gpettydpmg 2019-03-12T08:29:54Z https://community.cisco.com/t5/network-security/nat-on-a-stick-disabling-ssh/m-p/2954788#M148753 <P>what IP address are you connecting to when ssh-ing into the machine? &nbsp;172.31.3.4?</P> Sun, 06 Nov 2016 23:01:44 GMT https://community.cisco.com/t5/network-security/nat-on-a-stick-disabling-ssh/m-p/2954788#M148753 Dennis Mink 2016-11-06T23:01:44Z https://community.cisco.com/t5/network-security/nat-on-a-stick-disabling-ssh/m-p/2954789#M148754 <P>Yes, from the local network I can still ping the interface after enabling <SPAN style="text-decoration: underline;">nat outside</SPAN> on it but ports 22/23 instantly close</P> Sun, 06 Nov 2016 23:43:10 GMT https://community.cisco.com/t5/network-security/nat-on-a-stick-disabling-ssh/m-p/2954789#M148754 gpettydpmg 2016-11-06T23:43:10Z https://community.cisco.com/t5/network-security/nat-on-a-stick-disabling-ssh/m-p/2954790#M148755 <P>Ok I think I figured out what I was missing.&nbsp; I expected because i was on the local network I would still have access to those ports but becaues I've enabled nat outside on it, it blocks incoming traffic.&nbsp; I can actually access ssh/telnet on the loopback ip if I'm routed to the F0/0 interface.&nbsp;&nbsp;</P> <P>All I needed was to open the port with a static map</P> <P></P> <P>ip nat inside source static tcp 11.1.1.1 23 int f0/0 23</P> <P></P> <P></P> <P>That opened telnet back up, silly oversight on my part.</P> <P></P> Mon, 07 Nov 2016 17:39:52 GMT https://community.cisco.com/t5/network-security/nat-on-a-stick-disabling-ssh/m-p/2954790#M148755 gpettydpmg 2016-11-07T17:39:52Z https://community.cisco.com/t5/network-security/nat-on-a-stick-disabling-ssh/m-p/2954791#M148756 <P>You may have to enable SSH on an additional, non-default port.&nbsp; In my experience ASA firmwares don't handle direct access to addresses+ports with NAT mappings in the way you might expect.&nbsp; If you keep the NAT mapping and the local access separate, they will probably both work simultaneously.&nbsp; Otherwise, not.</P> <P>-- Jim Leinweber, WI State Lab of Hygiene</P> Mon, 07 Nov 2016 18:02:02 GMT https://community.cisco.com/t5/network-security/nat-on-a-stick-disabling-ssh/m-p/2954791#M148756 James Leinweber 2016-11-07T18:02:02Z