Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
568
Views
0
Helpful
4
Replies

I need to telent to a server inside the FW.

tmcmillion
Level 1
Level 1

‎02-15-2002 05:20 AM - edited ‎03-08-2019 09:50 PM

I have a 1720 running 12.1(5) ip/fw ipsec and am overloading nat to the outside interface. I have a vendor on the outside that needs to be able to telnet to a server on private address space 172.16.0.0. Do I need to use a static NAT trans to this server? Is there someway to forward this telenet request to the server? Not sure how to handle this.

Labels:
0 Helpful
4 Replies 4

tepatel
Cisco Employee
Cisco Employee

‎02-15-2002 10:38 AM

YES..you need to use the static NAT mapping (actually its static PAT too) Lets say the outside ip address is 1.1.1.1 and inside network is 172.16.0.0 ( .1 to .4) then in order to telnet from outside to inside privet ip address, the PC which is on the internet has fo fire request for telnet not on the port 23 for 1.1.1.1 but on different ports statically. That ports are mapped to the port 23 on the inside ip addresses..like this

ip nat inside source static tcp 172.16.0.1 23 1.1.1.1 1023 extendable

ip nat inside source static tcp 172.16.0.2 23 1.1.1.1 2023 extendable

so forth

So if the router see the request for tcp port 1023 on ip address 1.1.1.1 (outside), it will conver that to port 23 on inside ip address 172.16.0.1.

But for that client side has to initiate the telnet request for port 1023 on ip 1.1.1.1 to get to 172.16.0.1..

Hope this helps.

0 Helpful

chlovell
Level 1
Level 1

‎02-19-2002 11:21 AM

You could do this in one of two ways. Staticly map the internal ip to an external ip and add telnet to your access list. Or you can port map tcp25 to the outside interface and map it to the internal host, but this will make it so you cannot telnet to the router. The static nat would be the best solution

0 Helpful

2d-ruttino
Level 1
Level 1

‎02-19-2002 01:21 PM

Both of the posted solutions are good, but if the vendor was going to do this on a prolonged or regular basis, and since your IOS supports it, I would recommend a VPN solution. You can restrict what he is allowed to do and encrypt the traffic.

0 Helpful

chlovell
Level 1
Level 1
In response to 2d-ruttino

‎02-19-2002 01:51 PM

yes..pptp or ipsec would be good but if the host that is telnetting is win2k or xp then you are limited to pptp. good luck

0 Helpful
Customers Also Viewed These Support Documents