Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2814
Views
15
Helpful
5
Replies

No Telnet after NAT outside

Go to solution
Paul Smith
Level 1
Level 1

‎11-12-2014 06:40 PM - edited ‎03-05-2019 12:09 AM

I used to be able to Telnet through my WAN interface during the configuration of my 871 router before I set up nat outside. I can still Telnet and SSH from an internal address. Now I am getting failed connections for both Telnet and SSH through the WAN interface. NATing now works fine for internal hosts. I previously had a static IP on my WAN interface, now I have DHCP. Could this be the reason? I can ping the WAN IP. Nothing has changed in the VTY settings.

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Paul Smith

‎11-13-2014 04:08 AM

When allowing everything like that, it tries to translate the wan interface too. When you specify just your internal addresses, you're telling the router that those are the only addresses to translate and to not touch anything else. I would recommend changing the acl :)

no access-list 1

access-list 1 permit 192.168.1.0 0.0.0.255

That should fix it...

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

5 Replies 5

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎11-13-2014 03:32 AM

Can you post the nat config? In your acl, did you specify your subnets allowed to any like:

permit ip 192.168.1.0 0.0.0.255 any

or did you allow everything?

permit ip any any

 

The second can cause issues and we recommend always allowing only specified addresses in the acl.

HTH,

John

HTH, John *** Please rate all useful posts ***

Go to solution
Paul Smith
Level 1
Level 1
In response to John Blakley

‎11-13-2014 03:52 AM

How did you know I did an allow all? :) Very clever. Yes I did it to try and resolve another issue because it wasn't NAting (later turned out to be the default gateway on my laptop). Do you think I should change the acl to the vlan addresses only? Here is my config;

Christian#sh run
Building configuration...

Current configuration : 2045 bytes
!
! Last configuration change at 23:17:03 bris Wed Nov 12 2014 by paul
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Christian
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxxxxxxxxx
!
username paul privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx.
username pauladm privilege 15 password 0 xxxxxxxxxxxxx
username name
clock timezone bris 10
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool lan
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.100
   dns-server 192.168.2.200
!
!
ip name-server 192.168.2.200
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
 shutdown
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
 shutdown
!
interface FastEthernet4
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Vlan1
 ip address 192.168.1.100 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip classless
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 permit any
cdp timer 59
cdp holdtime 179
!
!
control-plane
!
banner exec ^CWelcome to the inner sanctum.^C
banner login ^C Please proceed if you are worthy.^C
banner motd ^CPaul Smith's Cisco 871 Router.^C
!
line con 0
 exec-timeout 120 20
 login local
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 session-timeout 1000
 timeout login response 300
 privilege level 15
 password vtypassword
 login local
 transport preferred all
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
ntp authenticate
ntp clock-period 17175031
ntp server 27.54.95.11
end

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Paul Smith

‎11-13-2014 04:08 AM

When allowing everything like that, it tries to translate the wan interface too. When you specify just your internal addresses, you're telling the router that those are the only addresses to translate and to not touch anything else. I would recommend changing the acl :)

no access-list 1

access-list 1 permit 192.168.1.0 0.0.0.255

That should fix it...

HTH,

John

HTH, John *** Please rate all useful posts ***

Go to solution
Paul Smith
Level 1
Level 1
In response to John Blakley

‎11-13-2014 04:53 AM

Yep it sure fixed it. Just tested. Thank you John for your Jedi advice.

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Paul Smith

‎11-13-2014 05:03 AM

hehe..you're very welcome :)

HTH, John *** Please rate all useful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card