Solved: Cobbled a basic NAT Rule to allow SSH from IP. Something's missing...

Chris Simon · ‎08-18-2014

I have a (mostly) working config setup on 871W for the past 5 months or so. The goal setup for this LAN is to permit various inside clients access to the world (this works; mostly) and permit outside clients http (80) from anyone and ssh (2222) from my remote host server. That's what you should see here, but it isn't working.

I tried to use CCP to cobble together a quick config. But after 3 hours yesterday, CCP zapped my startup-config. Now after another 6 hours I'm back at it.

Below is the relevant block (mixed in with the preexisting rules from the mostly running config (see above link for full config). I set up an ACL for the interface. I added a Standard ACE rule to permit my host access and block everyone else. I made a NAT Pool of one (representing my server). And finally added a Dynamic Outside-to-Inside NAT Rule which connects the ACL to the NAT Pool. (I expected to designate only SSH in the NAT Rule so the permit host, deny everyone else rule would make more sense, but that didn't seem to happen the way I expected).

What's missing? Is this the right way to go? I'd happily accept links to CLI tuts/vids, or not too abbreviated code blocks I can copynpaste and telnet into the startup-config or 871 specific perscriptions, or a simple fixes. whatever!

[...]
ip nat pool mrwizard 192.168.10.100 192.168.10.100 netmask 0.0.0.255
ip nat inside source list 101 interface FastEthernet4 overload
ip nat inside source list 102 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.10.100 80 interface FastEthernet4 80
ip nat outside source list 1300 pool mrwizard
!
ip access-list extended vlan1
 deny   ip 10.0.0.0 0.0.0.255 any
 permit ip any any
!
access-list 1300 remark Allow My Remote Host SSH
access-list 1300 remark CCP_ACL Category=3
access-list 1300 remark My remote host.
access-list 1300 permit [my remote host TCPIP]
access-list 1300 remark Deny everyone else
access-list 1300 deny   any
access-list 100 permit udp any any eq bootpc
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
!
[...]

Kelvin Willacey · ‎08-19-2014

Hello. You don't need both ACL 101 and 102, you can use a single ACL or a route map to allow outbound (browsing) traffic, just ensure that all the networks you want to allow out are specified in the ACL. Your NAT statement to allow inbound traffic to 192.168.10.100 on port 80 is fine. However you don't need the last or first NAT statement in your post.

Not quite sure what you are looking for with the other NAT on port 2222. Are you looking to SSH to the server from the Internet on port 2222? If so then you need the following rule:

ip nat inside source static tcp 192.168.10.100 22 interface FastEthernet4 2222

View solution in original post

Kelvin Willacey · ‎08-19-2014

Hello. You don't need both ACL 101 and 102, you can use a single ACL or a route map to allow outbound (browsing) traffic, just ensure that all the networks you want to allow out are specified in the ACL. Your NAT statement to allow inbound traffic to 192.168.10.100 on port 80 is fine. However you don't need the last or first NAT statement in your post.

Not quite sure what you are looking for with the other NAT on port 2222. Are you looking to SSH to the server from the Internet on port 2222? If so then you need the following rule:

ip nat inside source static tcp 192.168.10.100 22 interface FastEthernet4 2222