Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
649
Views
0
Helpful
4
Replies

NAT on a stick disabling ssh

gpettydpmg
Level 1
Level 1

‎11-06-2016 09:40 AM - edited ‎03-12-2019 01:29 AM

I've got a standard single interface router hosting a number of ipsec tunnels.  I'm attempting to add a loopback interface and enable nat outside on the physical interface.  The second I enable ip nat outside I lose ssh and telnet access from both inside and outside.  This being a azure csr router I have no console access to it and have to reboot it each time to get it back.

Is there some reason nat outside is blocking access?  I intend on using route maps to nat some specific tunnel traffic but simply enabling nat kicks me off entirely.

interface Loopback1
 ip address 11.1.1.1 255.255.255.255
 ip nat inside

!
interface FastEthernet0/0
 ip address 172.31.3.4 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
 crypto map clientvpn
!


ip nat inside source list NAT interface FastEthernet0/0 overload

!
ip access-list extended NAT

 permit ip 172.31.0.0   0.0.255.255 any

Labels:
0 Helpful
4 Replies 4

Dennis Mink
VIP Alumni
VIP Alumni

‎11-06-2016 03:01 PM

what IP address are you connecting to when ssh-ing into the machine?  172.31.3.4?

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

gpettydpmg
Level 1
Level 1
In response to Dennis Mink

‎11-06-2016 03:43 PM

Yes, from the local network I can still ping the interface after enabling nat outside on it but ports 22/23 instantly close

0 Helpful

James Leinweber
Level 4
Level 4
In response to gpettydpmg

‎11-07-2016 10:02 AM

You may have to enable SSH on an additional, non-default port.  In my experience ASA firmwares don't handle direct access to addresses+ports with NAT mappings in the way you might expect.  If you keep the NAT mapping and the local access separate, they will probably both work simultaneously.  Otherwise, not.

-- Jim Leinweber, WI State Lab of Hygiene

0 Helpful

gpettydpmg
Level 1
Level 1

‎11-07-2016 09:39 AM

Ok I think I figured out what I was missing.  I expected because i was on the local network I would still have access to those ports but becaues I've enabled nat outside on it, it blocks incoming traffic.  I can actually access ssh/telnet on the loopback ip if I'm routed to the F0/0 interface.  

All I needed was to open the port with a static map

ip nat inside source static tcp 11.1.1.1 23 int f0/0 23

That opened telnet back up, silly oversight on my part.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card