Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2527
Views
5
Helpful
6
Replies

UNABLE TO TELNET FROM OUTSIDE INTERFACE

Go to solution
isaaco001
Level 3
Level 3

‎03-02-2019 09:42 AM

Hi community,

I have tried this port forwarding  for some time now but i cant see why its not working, i have looked at some forums but still i keep getting errors like asymmetric nat. please assist.

am trying to telnet from an outside ip to inside router behind ASA.please find run config attached.

 

object network R3
nat (Inside-dmz,outside) static interface service tcp telnet telnet


access-group outside_access_in in interface outside

 

Thank you all!

Labels:
Preview file
9 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
venkat_n7
Level 1
Level 1
In response to isaaco001

‎03-03-2019 08:51 PM - edited ‎03-03-2019 09:02 PM

if you have to telnet from outside to inside, we do use nat'd IP of firewall to connect to inside host. from basics, try to telnet from your router 192.168.137.10 - to - firewall outside interface 192.168.137.1. Because you did PAT over firewall, so if you want to telnet router with ip 192.168.1.1 from 192.158.137.10 use NAT's IP which is 192.168.137.1 to get telnet access to 192.168.1.1 router.

 

HLaFcWrkQwSAGYVUOwMYpg_thumb_281.jpg

Please rate comments and support
with regards,
Venkat

View solution in original post

6 Replies 6

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-02-2019 08:06 PM

From a quick glance it looks ok. What does packet-tracer tell you? e.g.:

packet-tracer input outside tcp 8.8.8.8 1025 192.168.3.1 23
0 Helpful

Go to solution
isaaco001
Level 3
Level 3
In response to Marvin Rhoads

‎03-03-2019 06:46 AM

Hi Marvin,

Firstly, thanks for the reply.

I have continued working on it and made changes to the configuration to make things simpler. I just have two interface now inside and outside,but its essentially the same.

log from monitoring

5 Mar 03 2019 14:35:47 305013 192.168.137.10 32592 192.168.1.1 23 Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.137.10/32592 dst inside:192.168.1.1/23 denied due to NAT reverse path failure

 

Packet tracer indicates that there's a nat problem. in this lab, 192.168.137.10 represents "internet".

Preview file
8 KB
0 Helpful

Go to solution
isaaco001
Level 3
Level 3
In response to Marvin Rhoads

‎03-03-2019 06:48 AM

This is the  packet tracer snapshot ,attached.

Preview file
35 KB
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to isaaco001

‎03-03-2019 07:39 PM

Please share the nat and routing configuration stanzas. i.e., "show run nat" and "show run route".

0 Helpful

Go to solution
venkat_n7
Level 1
Level 1
In response to isaaco001

‎03-03-2019 08:51 PM - edited ‎03-03-2019 09:02 PM

if you have to telnet from outside to inside, we do use nat'd IP of firewall to connect to inside host. from basics, try to telnet from your router 192.168.137.10 - to - firewall outside interface 192.168.137.1. Because you did PAT over firewall, so if you want to telnet router with ip 192.168.1.1 from 192.158.137.10 use NAT's IP which is 192.168.137.1 to get telnet access to 192.168.1.1 router.

 

HLaFcWrkQwSAGYVUOwMYpg_thumb_281.jpg

Please rate comments and support
with regards,
Venkat

Go to solution
isaaco001
Level 3
Level 3
In response to venkat_n7

‎03-03-2019 10:55 PM

hi venkat_n7,

 

Thanks,this explains it!

 

Regards,

Isaac.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card