Cannot access router due to router Natting SSH return connection

carl_townshend · ‎05-28-2019

Hi All

We have had some issues whereby we cannot ssh to a router when we have PAT enabled.

I can see the router is trying to NAT the return connection back and so doesn't work.

The fix was to deny NAT from the routers public IP back to me.

Any ideas why this is happening?

Many thanks

Giuseppe Larosa · ‎05-28-2019

Hello Carl,

without seeing your PAT configuration including involved ACLs is difficult to say something meaningful.

Also it would help to know the model of router and the IOS image running on it.

So also a show version would be nice to have.

In theory NAT operation is triggered going through a nat inside to a nat outside interface.

Hope to help

Giuseppe

carl_townshend · ‎05-28-2019

Hi

ip access-list extended NAT
deny ip 172.20.X.X 0.0.255.255 172.16.0.0 0.X.255.255
remark NO NAT RULE AND NAT FOR INTERNET
deny ip host 125.X.X.X any
permit ip any any

int gig 0/0/1
ip nat inside

int gig 0/0/0
ip nat outside

ip nat inside source list NAT interface GigabitEthernet0/0/0 overload

Cisco IOS XE Software, Version 16.06.03

ISR4331/K9

Giuseppe Larosa · ‎05-28-2019

Hello Carl,

using an ACL statement with permit ip any any is not recommended

You know your internal network (s) that line should be something like

permit ip 172.20.0.0 0.0.255.255 any

This way you wouldn't need the specific line before

deny ip host 125.X.X.X any

Hope to help

Giuseppe