Solved: Re: Cannot telnet to interface with NAT overload

digoraj · ‎11-18-2004

I have setup a NAT overloaded interface, everything works fine, but I can't telnet to this interface from the outside, even when I specify secondary IP on the interface. Any solution?

dbellazetin · ‎11-18-2004

This can happen if you overload a pool with only one IP and the IP is assigned to your internet interface, or if your ACL for NAT has permit any and no specific network specified.

So basically this-

!

interface ethernet 0

ip address 10.0.0.1 255.0.0.0

ip nat inside

!

interface serial 0

ip address 1.1.1.1 255.255.255.252

ip nat outside

!

ip nat pool NAT 1.1.1.1 1.1.1.1 netmask 255.255.255.252

ip nat inside source list 1 pool NAT overload

!

access-list 1 permit 10.0.0.0 0.255.255.255

!

OR

!

interface ethernet 0

ip address 10.0.0.1 255.0.0.0

ip nat inside

!

interface serial 0

ip address 1.1.1.1 255.255.255.252

ip nat outside

!

ip nat inside source list 1 interface serial 0 overload

!

access-list 1 permit any

!

The above samples don't work well with NAT. My second example works just fine as long as you change the ACL to "access-list 1 permit 10.0.0.0 0.255.255.255" instead of just specifying "any".

Other than that make sure you are hitting the right IP, verify there are no ACL's denying telnet (access-list on the interface, or access-class on the line), and verify no one else in your path is blocking telnet.

Daniel

View solution in original post

dbellazetin · ‎11-18-2004

This can happen if you overload a pool with only one IP and the IP is assigned to your internet interface, or if your ACL for NAT has permit any and no specific network specified.

So basically this-

!

interface ethernet 0

ip address 10.0.0.1 255.0.0.0

ip nat inside

!

interface serial 0

ip address 1.1.1.1 255.255.255.252

ip nat outside

!

ip nat pool NAT 1.1.1.1 1.1.1.1 netmask 255.255.255.252

ip nat inside source list 1 pool NAT overload

!

access-list 1 permit 10.0.0.0 0.255.255.255

!

OR

!

interface ethernet 0

ip address 10.0.0.1 255.0.0.0

ip nat inside

!

interface serial 0

ip address 1.1.1.1 255.255.255.252

ip nat outside

!

ip nat inside source list 1 interface serial 0 overload

!

access-list 1 permit any

!

The above samples don't work well with NAT. My second example works just fine as long as you change the ACL to "access-list 1 permit 10.0.0.0 0.255.255.255" instead of just specifying "any".

Other than that make sure you are hitting the right IP, verify there are no ACL's denying telnet (access-list on the interface, or access-class on the line), and verify no one else in your path is blocking telnet.

Daniel

digoraj · ‎11-18-2004

Thank you very much, that was it, access-list permit any problem.

Was this from your experience? I couldn't get this information anywhere, I did see some weird xlation going on, but never occured to change the access list.

Thank you very much again.

dbellazetin · ‎11-18-2004

Yes this is from experience. I am not sure if it is documented or not. I worked for Cisco TAC for about three years :)

Daniel