11-12-2014 06:40 PM - edited 03-05-2019 12:09 AM
I used to be able to Telnet through my WAN interface during the configuration of my 871 router before I set up nat outside. I can still Telnet and SSH from an internal address. Now I am getting failed connections for both Telnet and SSH through the WAN interface. NATing now works fine for internal hosts. I previously had a static IP on my WAN interface, now I have DHCP. Could this be the reason? I can ping the WAN IP. Nothing has changed in the VTY settings.
Solved! Go to Solution.
11-13-2014 04:08 AM
When allowing everything like that, it tries to translate the wan interface too. When you specify just your internal addresses, you're telling the router that those are the only addresses to translate and to not touch anything else. I would recommend changing the acl :)
no access-list 1
access-list 1 permit 192.168.1.0 0.0.0.255
That should fix it...
HTH,
John
11-13-2014 03:32 AM
Can you post the nat config? In your acl, did you specify your subnets allowed to any like:
permit ip 192.168.1.0 0.0.0.255 any
or did you allow everything?
permit ip any any
The second can cause issues and we recommend always allowing only specified addresses in the acl.
HTH,
John
11-13-2014 03:52 AM
How did you know I did an allow all? :) Very clever. Yes I did it to try and resolve another issue because it wasn't NAting (later turned out to be the default gateway on my laptop). Do you think I should change the acl to the vlan addresses only? Here is my config;
Christian#sh run
Building configuration...
Current configuration : 2045 bytes
!
! Last configuration change at 23:17:03 bris Wed Nov 12 2014 by paul
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Christian
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxxxxxxxxx
!
username paul privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx.
username pauladm privilege 15 password 0 xxxxxxxxxxxxx
username name
clock timezone bris 10
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool lan
network 192.168.1.0 255.255.255.0
default-router 192.168.1.100
dns-server 192.168.2.200
!
!
ip name-server 192.168.2.200
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.1.100 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip classless
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 permit any
cdp timer 59
cdp holdtime 179
!
!
control-plane
!
banner exec ^CWelcome to the inner sanctum.^C
banner login ^C Please proceed if you are worthy.^C
banner motd ^CPaul Smith's Cisco 871 Router.^C
!
line con 0
exec-timeout 120 20
login local
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
session-timeout 1000
timeout login response 300
privilege level 15
password vtypassword
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
ntp authenticate
ntp clock-period 17175031
ntp server 27.54.95.11
end
11-13-2014 04:08 AM
When allowing everything like that, it tries to translate the wan interface too. When you specify just your internal addresses, you're telling the router that those are the only addresses to translate and to not touch anything else. I would recommend changing the acl :)
no access-list 1
access-list 1 permit 192.168.1.0 0.0.0.255
That should fix it...
HTH,
John
11-13-2014 04:53 AM
Yep it sure fixed it. Just tested. Thank you John for your Jedi advice.
11-13-2014 05:03 AM
hehe..you're very welcome :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide