11-18-2004 11:51 AM - edited 03-02-2019 08:03 PM
I have setup a NAT overloaded interface, everything works fine, but I can't telnet to this interface from the outside, even when I specify secondary IP on the interface. Any solution?
Solved! Go to Solution.
11-18-2004 01:46 PM
This can happen if you overload a pool with only one IP and the IP is assigned to your internet interface, or if your ACL for NAT has permit any and no specific network specified.
So basically this-
!
interface ethernet 0
ip address 10.0.0.1 255.0.0.0
ip nat inside
!
interface serial 0
ip address 1.1.1.1 255.255.255.252
ip nat outside
!
ip nat pool NAT 1.1.1.1 1.1.1.1 netmask 255.255.255.252
ip nat inside source list 1 pool NAT overload
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
OR
!
interface ethernet 0
ip address 10.0.0.1 255.0.0.0
ip nat inside
!
interface serial 0
ip address 1.1.1.1 255.255.255.252
ip nat outside
!
ip nat inside source list 1 interface serial 0 overload
!
access-list 1 permit any
!
The above samples don't work well with NAT. My second example works just fine as long as you change the ACL to "access-list 1 permit 10.0.0.0 0.255.255.255" instead of just specifying "any".
Other than that make sure you are hitting the right IP, verify there are no ACL's denying telnet (access-list on the interface, or access-class on the line), and verify no one else in your path is blocking telnet.
Daniel
11-18-2004 01:46 PM
This can happen if you overload a pool with only one IP and the IP is assigned to your internet interface, or if your ACL for NAT has permit any and no specific network specified.
So basically this-
!
interface ethernet 0
ip address 10.0.0.1 255.0.0.0
ip nat inside
!
interface serial 0
ip address 1.1.1.1 255.255.255.252
ip nat outside
!
ip nat pool NAT 1.1.1.1 1.1.1.1 netmask 255.255.255.252
ip nat inside source list 1 pool NAT overload
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
OR
!
interface ethernet 0
ip address 10.0.0.1 255.0.0.0
ip nat inside
!
interface serial 0
ip address 1.1.1.1 255.255.255.252
ip nat outside
!
ip nat inside source list 1 interface serial 0 overload
!
access-list 1 permit any
!
The above samples don't work well with NAT. My second example works just fine as long as you change the ACL to "access-list 1 permit 10.0.0.0 0.255.255.255" instead of just specifying "any".
Other than that make sure you are hitting the right IP, verify there are no ACL's denying telnet (access-list on the interface, or access-class on the line), and verify no one else in your path is blocking telnet.
Daniel
11-18-2004 02:23 PM
Thank you very much, that was it, access-list permit any problem.
Was this from your experience? I couldn't get this information anywhere, I did see some weird xlation going on, but never occured to change the access list.
Thank you very much again.
11-18-2004 06:06 PM
Yes this is from experience. I am not sure if it is documented or not. I worked for Cisco TAC for about three years :)
Daniel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide