Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
541
Views
0
Helpful
2
Replies

NAT statements & SSH access

parkbenchit
Level 1
Level 1

‎11-17-2015 03:36 AM - edited ‎03-05-2019 02:45 AM

Router is a recent C887VA running 15.3

When I have my NAT statements in place for ports 80 and 443, I have no external SSH access. It actively refuses my connection.

If I remove these 2 lines (154 and 155 in the attached txt file)

ip nat inside source static tcp 192.168.62.12 80 <WAN IP> 80 extendable
ip nat inside source static tcp 192.168.62.12 443 <WAN IP> 443 extendable

and reload, I have external SSH access. If I add them back, I still have external SSH access. If I then reload - no external SSH.

I don't lose internal (either from a device inside the LAN or if I come down the Tunnel) SSH at any point.

IP addresses don't change (router WAN, mine)

crypto key generate rsa has been done (and redone) - but as I always have internal SSH I don't think that's the issue.

I'm connecting using Putty and SSH1 preferred

2 questions:

a. What do I need to do to get permanent external SSH access?

b. More importantly - why? I thought I understood PAT & NAT - but clearly I'm missing something - if I could be pointed in the right direction of further reading - that'd be helpful.

Full (redacted) config is attached

Labels:
Preview file
5 KB
0 Helpful
2 Replies 2

Karsten Iwen
VIP
VIP

‎11-17-2015 06:54 AM

These problems are typically related to the NAT overload that is configured:

ip nat inside source list 1 interface Dialer0 overload

Remove the above line and replace it with the following:

ip access-list extended NAT
 deny ip any 192.168.0.0 0.0.255.255
 permit ip 192.168.0.0 0.0.255.255 any
!
ip nat inside source list NAT interface Dialer0 overload

0 Helpful

parkbenchit
Level 1
Level 1
In response to Karsten Iwen

‎11-27-2015 08:07 AM

thanks for this - I've put this in place and rebooted - but with no change in behaviour

I suppose I could do this

ip nat inside source static tcp 192.168.62.1 22 interface [wan facing interface] 22

and then put an access list in place to restrict external SSH access to only IP's I trust

I understand why forwarding onto the internal interface should resolve - but I don't (yet) understand why implementing port-forwarding for 80&443 causes previously working SSH access to then refuse me.

Suggestions / pointers in the right direction would be most welcome...

thanks

0 Helpful
Customers Also Viewed These Support Documents