ssh to wan of NAT router fails

jerry.roy · ‎10-20-2004

Hi all,

Can someone see the problem? I am having two issues.

1) Ssh fails to the WAN of my 1711 NAT router. Can you see anything wrong with my acl's that would prevent this?

2) I can only get a response from some web servers on a dmz I created. I get zero response from others. I used 2 ports on the builtin switch and created a new vlan3.

internet

|

|WAN (NAT)

DMZ(NAT) ______________

------------|VLAN2 1711 |

| |

------|--------

|

| LAN (VLAN3)

|

version 12.3

no parser cache

no service pad

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

!

hostname LFL-1711-LAN

!

boot-start-marker

boot system flash c1700-k9o3sy7-mz.123-7.T.bin

boot-end-marker

!

logging buffered 51200 warnings

!

username admin password abc123

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

aaa new-model

!

aaa authentication login ssh local

aaa session-id common

ip subnet-zero

!

no ip domain lookup

ip domain name forless.com

ip dhcp excluded-address 192.168.1.1 192.168.1.20

!

ip dhcp pool 192.168.1.0/24

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

domain-name forless.com

dns-server 4.2.2.1 4.2.2.2

!

ip cef

ip audit po max-events 100

no ftp-server write-enable

!

no crypto isakmp enable

!

interface FastEthernet0

DESCRIPTION Covad Connection to Internet

ip address xxx.100.97.194 255.255.255.248

ip access-group Wan_2_Local in

ip nat outside

duplex auto

speed auto

no cdp enable

!

interface FastEthernet1

switchport access vlan 2

no ip address

no cdp enable

!

interface FastEthernet2

switchport access vlan 2

no ip address

no cdp enable

!

interface FastEthernet3

switchport access vlan 3

no ip address

no cdp enable

!

interface FastEthernet4

switchport access vlan 3

no ip address

no cdp enable

!

interface Vlan2

DESCRIPTION DMZ connection to web servers

ip address xxx.168.168.94 255.255.255.224 secondary

ip address xxx.145.181.66 255.255.255.224

ip nat outside

!

interface Vlan3

DESCRIPTION LAN Access

ip address 192.168.1.1 255.255.255.0

ip nat inside

!

interface Vlan1

description $ETH-SW-LAUNCH$

ip address 10.10.10.1 255.255.255.248

ip tcp adjust-mss 1452

!

interface Async1

no ip address

!

ip classless

ip route 0.0.0.0 0.0.0.0 xxx.100.97.193

no ip http server

ip http authentication local

no ip http secure-server

ip nat inside source list 1 interface FastEthernet0 overload

ip nat inside source static tcp 192.168.1.3 1220 xxx.145.181.66 1220 extendable

ip nat inside source static tcp 192.168.1.7 4599 xxx.145.181.66 4599 extendable

ip nat inside source static tcp 192.168.1.3 6401 xxx.145.181.66 6401 extendable

ip nat inside source static tcp 192.168.1.3 10000 xxx.145.181.66 10000 extendable

!

ip access-list extended Wan_2_Local

permit tcp any any eq 22

permit icmp any any echo-reply

deny tcp any any range 0 65535 log

deny udp any any range 0 65535 log

deny icmp any any log

access-list 1 permit any

no cdp run

!

control-plane

!

banner exec ^CC

Managed by RemoteHand, Inc.

Main Phone: 562-305-9545

Contact: jroy@remotehand.com

Router location: nunya, CA

^C

banner motd ^CC

For xxxxxxxxxx Business Use Only

Unauthorized Access Subject to Legal Action

*************** WARNING! *****************

^C

!

line con 0

logging synchronous

transport preferred all

transport output all

line 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

privilege level 15

password abc123

logging synchronous

login authentication ssh

transport preferred all

transport input ssh

transport output all

line vty 5 15

privilege level 15

transport input telnet ssh

carlosv · ‎10-21-2004

Change your access-list 1 to:

access-list 1 permit 192.168.1.0 0.0.0.255

And see what happens.

Carlos

jerry.roy · ‎10-23-2004

Carlos, Thanks, That worked! Can you tell me why my Nat to internet works but to DMZ fails?

interface FastEthernet0

ip address xx.100.97.194 255.255.255.248

ip nat outside

duplex auto

speed auto

no cdp enable

!

interface FastEthernet1

switchport access vlan 2

no ip address

no cdp enable

!

interface FastEthernet2

switchport access vlan 2

no ip address

no cdp enable

!

interface FastEthernet3

switchport access vlan 3

no ip address

no cdp enable

!

interface FastEthernet4

switchport access vlan 3

no ip address

no cdp enable

!

interface Vlan2

ip address xx.145.181.66 255.255.255.224

ip nat outside

!

interface Vlan3

ip address 192.168.1.1 255.255.255.0

ip nat inside

!

interface Vlan1

description $ETH-SW-LAUNCH$

ip address 10.10.10.1 255.255.255.248

ip tcp adjust-mss 1452

!

interface Async1

no ip address

!

ip classless

ip route 0.0.0.0 0.0.0.0 xx.100.97.193

ip nat inside source list 1 interface FastEthernet0 overload

ip nat inside source list 2 interface Vlan2 overload

ip nat inside source static tcp 192.168.1.3 1220 xx.145.181.66 1220 extendable

ip nat inside source static tcp 192.168.1.7 4599 xx.145.181.66 4599 extendable

ip nat inside source static tcp 192.168.1.3 6401 xx.145.181.66 6401 extendable

ip nat inside source static tcp 192.168.1.3 10000 xx.45.181.66 10000 extendable

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 2 permit 192.168.1.0 0.0.0.255

Thanks,

Jerry

spremkumar · ‎10-24-2004

hi

y r u trying to nat the same ip block to diff ip addresses ?

also revert r u using the same ip blocks for ur diff securitiy zones ??

regds