03-31-2020 05:01 AM - edited 03-31-2020 05:04 AM
Hi,
I have a Cisco 897VA IOS router. I am unable to access port forwarded of IP in Vlan10 from Vlan20. I am unable to access a SSH port on IP 10.0.0.2 from IP 192.168.0.2.
There is no problem connecting to the SSH port from the same Vlan10 or through the public IP. I want to access the SSH port from Vlan20 using the internal IP instead of the public IP.
Please let me know if I have any issue in the following configuration.
interface GigabitEthernet8
ip address 99.80.10.233 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
load-interval 30
duplex auto
speed auto
no cdp enable
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 10.0.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip verify unicast reverse-path
no autostate
!
interface Vlan20
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip verify unicast reverse-path
no autostate
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat source static tcp 10.0.0.2 22 interface GigabitEthernet8 22
ip nat source route-map 1 interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
ipv6 ioam timestamp
!
route-map 1 permit 10
match ip address 1 2
match interface GigabitEthernet8
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.0.0 0.0.0.255
03-31-2020 08:00 AM
Hi,
I would say the problem is that you're using domainless NAT (aka "nat enable), thus the "publishing" is out all NAT enable interfaces. Try the following config, it should work, with domain-based NAT (inside/outside domains), and also reconfigure your default-route by specifying a next-hop, otherwise in time you may loose Internet access or router could crash due to insufficient ARP memory:
interface GigabitEthernet8
no ip nat enable
ip nat outside
!
interface Vlan10
no ip nat enable
ip nat inside
!
interface Vlan20
no ip nat enable
ip nat inside
!
no ip nat source static tcp 10.0.0.2 22 interface GigabitEthernet8 22
no ip nat source route-map 1 interface GigabitEthernet8 overload
ip nat inside source static tcp 10.0.0.2 22 interface GigabitEthernet8 22
ip nat inside source route-map 1 interface GigabitEthernet8 overload
!
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet8
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 99.80.10.X
Regards,
Cristian Matei.
04-01-2020 04:52 AM
Hi Cristian,
It works according to the configuration you provided but I am looking for a way in which 10.0.0.2 could be SSHd through its own internal IP as well as the public IP from Vlan20.
I need to forward several ports but I am stuck with this.
Please let me know.
Thank you
04-01-2020 08:25 AM
Hi,
@mustafa.chapal Yes, with the provided configuration, for traffic going "outside NAT interface to inside NAT interface" you will be accessing the service based on the public IP, for traffic going "inside NAT interface to inside NAT interface" you will be accessing the service based on the private IP. Test it, it has to work.
Regards,
Cristian Matei.
04-01-2020 02:26 AM - edited 04-01-2020 05:13 AM
Hello
I dont think you need to change the NAT, you just need to amend the nat access-list to deny nat between the two lan subnets.
Example
no access-list 1
ip access-list extended NAT
deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
route-map 1 permit 10
no match ip address 1 2
match ip address NAT
04-01-2020 04:55 AM
Hi Paul,
It still did not work using the configuration you provided.
The scenario remained the same.
Thank you
04-01-2020 05:24 AM - edited 04-03-2020 07:06 AM
Hello
Just to confirm you used that extended acl with the route-map running NVI nat and you say you cannot establish an internal host -host communication via ssh?
The reason why it works via Domain based nat as suggst by @Cristian Matei is the original NAT order of preference is performed as however it should work via NVI nat even with its dual route lookup with the above acl applied unless i am missing something fundamental here.
Can you post your configuration as it is now please, also confirm on what you are trying to accomplish, And if that is you wish for a host to be reached via ssh either via its external natted and its internal address.
04-01-2020 06:48 AM
Hi Paul,
Yes thats correct. I used the extended acl with the route-map running NVI nat and I am unable to establish host to host communication via SSH.
I want to reach the host 10.0.0.2 using any IP address within 192.168.0.0/24 in Vlan 20 via SSH through both external natted and its internal IP address.
I want to accomplish the above which works well from a host with an example IP 10.0.0.5 in Vlan 10, it is able to SSH 10.0.0.2 both through the external natted and its internal IP address.
Following is the config.
version 15.7
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no service password-recovery
!
hostname r1
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
clock timezone Chicago
!
!
!
!
!
!
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
!
!
!
ip dhcp bootp ignore
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 10.0.0.1
ip dhcp excluded-address 10.0.0.1 10.0.0.100
ip dhcp excluded-address 10.0.0.200 10.0.0.254
!
ip dhcp pool ccp-pool1
import all
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
dns-server 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 208.67.222.222 208.67.220.220
!
ip dhcp pool ccp-pool2
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 208.67.222.222 208.67.220.220
!
!
!
!
no ip bootp server
ip domain name example.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 1.1.1.1
ip name-server 1.0.0.1
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
cts logging verbose
!
!
username Example privilege 15 secret
!
redundancy
!
!
!
no cdp run
!
!
ip tcp synwait-time 10
!
!
!
!
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0
switchport trunk native vlan 10
switchport trunk allowed vlan 1,2,10,20,1002-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet1
switchport trunk native vlan 10
switchport trunk allowed vlan 1,2,10,20,1002-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet2
switchport trunk native vlan 10
switchport trunk allowed vlan 1,2,10,20,1002-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet3
switchport access vlan 10
no ip address
!
interface GigabitEthernet4
switchport access vlan 10
no ip address
!
interface GigabitEthernet5
switchport access vlan 10
no ip address
!
interface GigabitEthernet6
switchport access vlan 10
no ip address
!
interface GigabitEthernet7
switchport trunk native vlan 10
switchport mode trunk
no ip address
!
interface GigabitEthernet8
ip address 99.80.10.233 255.255.255.248
ip access-group inside in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
load-interval 30
duplex auto
speed auto
no cdp enable
ntp disable
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 10.0.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip verify unicast reverse-path
no autostate
!
interface Vlan20
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip verify unicast reverse-path
no autostate
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat source route-map 1 interface GigabitEthernet8 overload
ip nat source static tcp 10.0.0.2 22 99.80.10.233 2222 extendable
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 99.80.10.233
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
ip access-list extended NAT
deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended inside
deny ip 0.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip 240.0.0.0 15.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny udp any any eq ntp
deny udp any any eq snmp
deny udp any any eq snmptrap
deny tcp any any fragments
deny udp any any fragments
deny ip any any fragments
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit icmp any any echo-reply
permit icmp any any echo
permit icmp any any packet-too-big
deny icmp any any
permit ip any any
ip access-list extended vty
deny tcp any any eq 22
permit ip any any
!
ipv6 ioam timestamp
!
route-map 1 permit 10
match ip address NAT
match interface GigabitEthernet8
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.0.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
banner login ^CCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
privilege level 15
no modem enable
transport output ssh
line aux 0
exec-timeout 0 0
no exec
transport output none
line vty 0 4
access-class vty in
privilege level 15
transport input ssh
transport output none
!
scheduler allocate 20000 1000
ntp server pool.ntp.org
!
!
!
end
04-01-2020 08:32 AM
Hi,
@paul driver The difference between the two solutions working or not stands in the fundamental difference between the two implementations. For NAT to happen with domain-based NAT (inside,outside), traffic needs to match a NAT statement and flow between NAT domains (inside to outside, or outside to inside), so inside-to-inside to outside-to-outside will not trigger NAT. For NAT to happen with domain less-based NAT (no domains, just NAT enable), traffic needs to match a NAT statement and flow between NAT enabled interfaces (but any NAT enabled interfaces, no more condition).
He has a problem with its static NVI NAT config. As IOS implements source based NAT and its not a stateful firewall to perform reverse NAT checks (or RPF-NAT check), what happens is that if you initiate the session towards the real IP, the SYN goes untranslated, it reaches the destination, and when SYN-ACK comes to the router, it translates the source (traffic between NAT enabled interfaces and matching NAT statement), thus this is a broken session, will never work.
With domain-based NAT this is fixed, as he configures its private interfaces in the inside NAT domain, so for traffic flowing between inside or outside interfaces, there is no NAT. Exactly what he wants.
Regards,
Cristian Matei.
04-01-2020 10:51 AM - edited 04-03-2020 07:14 AM
Hello @Cristian Matei
Thanks for the feedback and I do understand but as I have stated mate if the OP confirmed he wants to access a host via external and internal then NVI/ or domain nat I do think there is a possible way incorporating either domain ( depending of ios version) or NVI nat either with some Hari pining
( I’ll probably need to lab it) - However if it isn’t then as you stated (domain nat) is the correct solution.
04-01-2020 03:28 PM
Hi Cristian,
Please tell me a way how can I SSH 99.80.10.233 from IP 192.168.0.10 in Vlan 20 as outside to inside does not seem to work with the config you provided. I even tried it on a different router.
The actual purpose is to make both inside to inside and outside to inside work using multiple vlans.
Please let me know.
04-01-2020 11:51 PM
Hi,
The below, was your initial statement: "There is no problem connecting to the SSH port from the same Vlan10 or through the public IP. I want to access the SSH port from Vlan20 using the internal IP instead of the public IP."
With the config i provided you, which works (unless you have some other settings which you have not posted and may affect the functionality), traffic coming inbound on Gi8 (from Internet let's say) should be using the public IP as destination in order to get access, while traffic coming inbound on VLAN 20 should be using the private IP as destination in order to get access. This is what you requested, isn't it?
Regards,
Cristian Matei.
04-02-2020 02:07 AM - edited 04-02-2020 02:09 AM
Hello
@mustafa.chapal wrote:
Please tell me a way how can I SSH 99.80.10.233 from IP 192.168.0.10 in Vlan 20 as outside to inside does not seem to work
So you wish to access internally, other internal hosts via their natted public address if so then youll need to nat hairpin for those internal subnets- please confirm?
04-02-2020 03:11 AM
Hi Paul,
I want to access the natted host via its internal as well as external IP from other VLAN.
For example user 192.168.0.2 in VLAN 20 should be able the access the host through the following ways.
ssh -l root 10.0.0.2
ssh -l root 99.80.10.233 -p2222
@Cristian Matei I apologize for the confusion in my initial question. I meant to say that the user for example 192.168.0.2 in VLAN 20 should be able to SSH the forwarded host via its internal IP 10.0.0.2 as well as the natted public address 99.80.10.233 and port 2222. Also I have provided the complete configuration in my previous message.
Thank you
04-03-2020 07:42 AM - edited 04-03-2020 10:15 AM
Hello
Not so sure why you want to access the host via the public natted address and its internal address internally however depending on you ios software i think its applicable.
Below is a possible solution using NVI nat, however depending on you IOS version you myabe able to do this with domain nat also.
Example:
no route-map 1
no access-list 1
no access-list 2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.0.0 0.0.0.255
no ip nat source route-map 1 interface GigabitEthernet8 overload
int loopback 100
ip address 169.254.1.1 255.255.255.255
ip nat enable
interface GigabitEthernet8
ip address 99.80.10.233 255.255.255.248
no ip redirects
no ip nat outside
ip nat enable
interface Vlan10
ip address 10.0.0.1 255.255.255.0
ip redirects
ip nat enable
interface Vlan20
ip address 192.168.0.1 255.255.255.0
ip redirects
ip nat enable
ip access-list extended NAT
permit ip 10.0.0.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended NAT-PIN
permit ip 192.168.1.0 0.0.0.255 host 10.0.0.2
ip nat source static tcp 10.0.0.2 22 interface GigabitEthernet8 22
ip nat source list NAT interface GigabitEthernet8
ip nat source list NAT-PIN interface loopback 100
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 99.80.10.xxxx
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: