cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2838
Views
0
Helpful
20
Replies

Access Forwarded Port from Another Vlan

mustafa.chapal
Level 1
Level 1

Hi,

I have a Cisco 897VA IOS router. I am unable to access port forwarded of IP in Vlan10 from Vlan20. I am unable to access a SSH port on IP 10.0.0.2 from IP 192.168.0.2.

There is no problem connecting to the SSH port from the same Vlan10 or through the public IP. I want to access the SSH port from Vlan20 using the internal IP instead of the public IP.

Please let me know if I have any issue in the following configuration.

interface GigabitEthernet8
 ip address 99.80.10.233 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip nat enable
 ip virtual-reassembly in
 ip verify unicast reverse-path
 load-interval 30
 duplex auto
 speed auto
 no cdp enable
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat enable
 ip verify unicast reverse-path
 no autostate
!
interface Vlan20
 ip address 192.168.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat enable
 ip verify unicast reverse-path
 no autostate
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat source static tcp 10.0.0.2 22 interface GigabitEthernet8 22
ip nat source route-map 1 interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
ipv6 ioam timestamp
!
route-map 1 permit 10
 match ip address 1 2
 match interface GigabitEthernet8
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.0.0 0.0.0.255

20 Replies 20

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

   I would say the problem is that you're using domainless NAT (aka "nat enable), thus the "publishing" is out all NAT enable interfaces. Try the following config, it should work, with domain-based NAT (inside/outside domains), and also reconfigure your default-route by specifying a next-hop, otherwise in time you may loose Internet access or router could crash due to insufficient ARP memory:

 

interface GigabitEthernet8

 no ip nat enable

 ip nat outside

!

interface Vlan10

 no ip nat enable

 ip nat inside

!

interface Vlan20

 no ip nat enable

 ip nat inside

!

no ip nat source static tcp 10.0.0.2 22 interface GigabitEthernet8 22

no ip nat source route-map 1 interface GigabitEthernet8 overload

ip nat inside source static tcp 10.0.0.2 22 interface GigabitEthernet8 22

ip nat inside source route-map 1 interface GigabitEthernet8 overload

!

no ip route 0.0.0.0 0.0.0.0 GigabitEthernet8

ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 99.80.10.X

 

Regards,

Cristian Matei.

Hi Cristian,

 

It works according to the configuration you provided but I am looking for a way in which 10.0.0.2 could be SSHd through its own internal IP as well as the public IP from Vlan20.

 

I need to forward several ports but I am stuck with this.

 

Please let me know.

 

Thank you 

Hi,

 

@mustafa.chapal   Yes, with the provided configuration, for traffic going "outside NAT interface to inside NAT interface" you will be accessing the service based on the public IP, for traffic going "inside NAT interface to inside NAT interface" you will be accessing the service based on the private IP. Test it, it has to work.

 

Regards,

Cristian Matei.

Hello
I dont think you need to change the NAT, you just need to amend the nat access-list to deny nat between the two lan subnets.

 

Example
no access-list 1
ip access-list extended NAT
deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255  any

route-map 1 permit 10
no match ip address 1 2
match ip address NAT

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,

 

It still did not work using the configuration you provided.

 

The scenario remained the same.

 

Thank you

Hello

Just to confirm you used that extended acl with the route-map running NVI nat and you say you cannot establish an internal host -host communication via ssh?

The reason why it works via Domain based nat as suggst by @Cristian Matei  is the original NAT order of preference is performed as however it should work via NVI nat even with its dual route lookup with the above acl applied unless i am missing something fundamental here.

 

Can you post your configuration as it is now please, also confirm on what you are trying to accomplish, And if that is you wish for a host to be reached via ssh either via its external natted and its internal address.

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,

 

Yes thats correct. I used the extended acl with the route-map running NVI nat and I am unable to establish host to host communication via SSH.

 

I want to reach the host 10.0.0.2 using any IP address within 192.168.0.0/24 in Vlan 20 via SSH through both external natted and its internal IP address.

 

I want to accomplish the above which works well from a host with an example IP 10.0.0.5 in Vlan 10, it is able to SSH 10.0.0.2 both through the external natted and its internal IP address.

 

Following is the config.

 

version 15.7

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

no service password-recovery

!

hostname r1

!

boot-start-marker

boot-end-marker

!

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

!

!

!

!

aaa session-id common

clock timezone Chicago

!

!

!         

!

!

!

no ip source-route

no ip gratuitous-arps

!

!

!

!

!

!

!

!

ip dhcp bootp ignore

ip dhcp excluded-address 192.168.0.1

ip dhcp excluded-address 10.0.0.1

ip dhcp excluded-address 10.0.0.1 10.0.0.100

ip dhcp excluded-address 10.0.0.200 10.0.0.254

!

ip dhcp pool ccp-pool1

import all

network 10.0.0.0 255.255.255.0

default-router 10.0.0.1

dns-server 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 208.67.222.222 208.67.220.220

!

ip dhcp pool ccp-pool2

import all

network 192.168.0.0 255.255.255.0

default-router 192.168.0.1

dns-server 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 208.67.222.222 208.67.220.220

!

!

!

!

no ip bootp server

ip domain name example.com

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip name-server 1.1.1.1

ip name-server 1.0.0.1

ip name-server 208.67.222.222

ip name-server 208.67.220.220

ip cef

no ipv6 cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

cts logging verbose

!

!

username Example privilege 15 secret

!

redundancy

!

!

!

no cdp run

!

!

ip tcp synwait-time 10

!

!

!

!

!

interface Null0

no ip unreachables

!

interface GigabitEthernet0

switchport trunk native vlan 10

switchport trunk allowed vlan 1,2,10,20,1002-1005

switchport mode trunk

no ip address

!

interface GigabitEthernet1

switchport trunk native vlan 10

switchport trunk allowed vlan 1,2,10,20,1002-1005

switchport mode trunk

no ip address

!

interface GigabitEthernet2

switchport trunk native vlan 10

switchport trunk allowed vlan 1,2,10,20,1002-1005

switchport mode trunk

no ip address

!

interface GigabitEthernet3

switchport access vlan 10

no ip address

!

interface GigabitEthernet4

switchport access vlan 10

no ip address

!

interface GigabitEthernet5

switchport access vlan 10

no ip address

!

interface GigabitEthernet6

switchport access vlan 10

no ip address

!

interface GigabitEthernet7

switchport trunk native vlan 10

switchport mode trunk

no ip address

!

interface GigabitEthernet8

ip address 99.80.10.233 255.255.255.248

ip access-group inside in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat enable

ip virtual-reassembly in

ip verify unicast reverse-path

load-interval 30

duplex auto

speed auto

no cdp enable

ntp disable

!

interface Vlan1

no ip address

shutdown

!

interface Vlan10

ip address 10.0.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat enable

ip verify unicast reverse-path

no autostate

!

interface Vlan20

ip address 192.168.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat enable

ip verify unicast reverse-path

no autostate

!

ip forward-protocol nd

no ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat source route-map 1 interface GigabitEthernet8 overload

ip nat source static tcp 10.0.0.2 22 99.80.10.233 2222 extendable

ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 99.80.10.233

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 2

!

ip access-list extended NAT

deny   ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255

deny   ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255

permit ip 10.0.0.0 0.0.0.255 any

permit ip 192.168.0.0 0.0.0.255 any

ip access-list extended inside

deny   ip 0.0.0.0 0.255.255.255 any

deny   ip 127.0.0.0 0.255.255.255 any

deny   ip 169.254.0.0 0.0.255.255 any

deny   ip 192.0.2.0 0.0.0.255 any

deny   ip 224.0.0.0 31.255.255.255 any

deny   ip 240.0.0.0 15.255.255.255 any

deny   ip host 255.255.255.255 any

deny   ip host 0.0.0.0 any

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 172.16.0.0 0.15.255.255 any

deny   ip 192.168.0.0 0.0.255.255 any

deny   udp any any eq ntp

deny   udp any any eq snmp

deny   udp any any eq snmptrap

deny   tcp any any fragments

deny   udp any any fragments

deny   ip any any fragments

permit icmp any any ttl-exceeded

permit icmp any any port-unreachable

permit icmp any any echo-reply

permit icmp any any echo

permit icmp any any packet-too-big

deny   icmp any any

permit ip any any

ip access-list extended vty

deny   tcp any any eq 22

permit ip any any

!

ipv6 ioam timestamp

!

route-map 1 permit 10

match ip address NAT

match interface GigabitEthernet8

!

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 2 remark CCP_ACL Category=2

access-list 2 permit 192.168.0.0 0.0.0.255

!

!

!

control-plane

!

!

!

mgcp behavior rsip-range tgcp-only

mgcp behavior comedia-role none

mgcp behavior comedia-check-media-src disable

mgcp behavior comedia-sdp-force disable

!

mgcp profile default

!

!

!

!

!

banner login ^CCCAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

privilege level 15

no modem enable

transport output ssh

line aux 0

exec-timeout 0 0

no exec

transport output none

line vty 0 4

access-class vty in

privilege level 15

transport input ssh

transport output none

!

scheduler allocate 20000 1000

ntp server pool.ntp.org

!

!

!

end

Hi,

 

 @paul driver The difference between the two solutions working or not stands in the fundamental difference between the two implementations. For NAT to happen with domain-based NAT (inside,outside), traffic needs to match a NAT statement and flow between NAT domains (inside to outside, or outside to inside), so inside-to-inside to outside-to-outside will not trigger NAT. For NAT to happen with domain less-based NAT (no domains, just NAT enable), traffic needs to match a NAT statement and flow between NAT enabled interfaces (but any NAT enabled interfaces, no more condition).

   He has a problem with its static NVI NAT config. As IOS implements source based NAT and its not a stateful firewall to perform reverse NAT checks (or RPF-NAT check), what happens is that if you initiate the session towards the real IP, the SYN goes untranslated, it reaches the destination, and when SYN-ACK comes to the router, it translates the source (traffic between NAT enabled interfaces and matching NAT statement), thus this is a broken session, will never work.

   With domain-based NAT this is fixed, as he configures its private interfaces in the inside NAT domain, so for traffic flowing between inside or outside interfaces, there is no NAT. Exactly what he wants.

 

Regards,

Cristian Matei.

Hello @Cristian Matei 

Thanks for the feedback and I do understand but as I have stated mate if the OP confirmed he wants to access a host via external and internal then NVI/ or domain nat I do think there is a possible way incorporating either domain ( depending of ios version) or NVI nat either with some Hari pining
( I’ll probably need to lab it)  - However if it isn’t then as you stated (domain nat) is the correct solution.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Cristian,

 

Please tell me a way how can I SSH 99.80.10.233 from IP 192.168.0.10 in Vlan 20 as outside to inside does not seem to work with the config you provided. I even tried it on a different router.

 

The actual purpose is to make both inside to inside and outside to inside work using multiple vlans.

 

Please let me know.

Hi,

 

   The below, was your initial statement: "There is no problem connecting to the SSH port from the same Vlan10 or through the public IP. I want to access the SSH port from Vlan20 using the internal IP instead of the public IP."

  With the config i provided you, which works (unless you have some other settings which you have not posted and may affect the functionality), traffic coming inbound on Gi8 (from Internet let's say) should be using the public IP as destination in order to get access, while traffic coming inbound on VLAN 20 should be using the private IP as destination in order to get access. This is what you requested, isn't it?

 

Regards,

Cristian Matei.

Hello

 


@mustafa.chapal wrote:

Please tell me a way how can I SSH 99.80.10.233 from IP 192.168.0.10 in Vlan 20 as outside to inside does not seem to work


So you wish to access internally, other internal hosts via their natted public address if so then youll need to nat hairpin for those internal subnets- please confirm?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,

 

I want to access the natted host via its internal as well as external IP from other VLAN.

 

For example user 192.168.0.2 in VLAN 20 should be able the access the host through the following ways.

 

ssh -l root 10.0.0.2

ssh -l root 99.80.10.233 -p2222

 

@Cristian Matei I apologize for the confusion in my initial question. I meant to say that the user for example 192.168.0.2 in VLAN 20 should be able to SSH the forwarded host via its internal IP 10.0.0.2 as well as the natted public address 99.80.10.233 and port 2222. Also I have provided the complete configuration in my previous message.

 

Thank you

Hello
Not so sure why you want to access the host via the public natted address and its internal address internally however depending on you ios software i think its applicable.

Below is a possible solution using NVI nat, however depending on you IOS version you myabe  able to do this with domain nat  also.

Example:

no route-map 1
no access-list 1
no access-list 2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.0.0 0.0.0.255
no ip nat source route-map 1 interface GigabitEthernet8 overload

int loopback 100
ip address 169.254.1.1 255.255.255.255
ip nat enable

interface GigabitEthernet8
ip address 99.80.10.233 255.255.255.248
no ip redirects
no ip nat outside
ip nat enable

interface Vlan10
ip address 10.0.0.1 255.255.255.0
ip redirects
ip nat enable

interface Vlan20
ip address 192.168.0.1 255.255.255.0

ip redirects
ip nat enable

 

ip access-list extended NAT
permit ip 10.0.0.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any


ip access-list extended NAT-PIN
permit ip 192.168.1.0 0.0.0.255 host 10.0.0.2

 

ip nat source static tcp 10.0.0.2 22 interface GigabitEthernet8 22
ip nat source list NAT interface GigabitEthernet8
ip nat source list NAT-PIN interface loopback 100
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 99.80.10.xxxx


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul