07-17-2007 03:13 PM - edited 03-03-2019 05:54 PM
Hi (I am cisco newbie as I am a Solaris SCM by trade so forgive my lack of knowledge).
I have a Cisco 837 Router with ADSL (dynamic) configured on it. I have a solaris box and a linux box on the network (both listening to non-standard ssh ports) and want to access them from my office via PuTTY.
I have been unsuccessful in configuring the router to forward any requests from the outside to either of these machines on the inside. basically I want (for example) the outside request (I use the current IP using ddns) at port 10022 to be forwarded to the machine inside the network at 10.10.10.6:10022 - Sounds simple and my old Linksys had no problems with this. I have had our cisco guy from work spend an evenig trying to resolve it, but alas even he is flumoxed!
(all systems inside have static ips and all in one subnet).
Rachel (pulling hair out)
Solved! Go to Solution.
07-18-2007 10:19 AM
Try with this. Obviously you need to put usernames and passwords...
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ARAGORN
!
logging queue-limit 100
no logging buffered
enable secret 5 ********
!
username ******** privilege 15 password 7 ********
username ******** privilege 15 password 7 ********
username ******** privilege 15 secret 5 ********
username ******** privilege 15 secret 5 ********
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
ip domain name middleearth.org
ip name-server 195.244.192.66
ip name-server 195.244.192.6
ip dhcp excluded-address 10.10.10.25
ip dhcp excluded-address 10.10.10.1 10.10.10.29
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.40 10.10.10.254
ip dhcp excluded-address 10.10.10.21
!
ip dhcp pool CLIENT
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 195.244.192.66
lease 0 2
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description $ETH-LAN$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1400
hold-queue 100 out
!
interface ATM0
no ip address
no atm traffic-shaping
no atm cell-clumping-disable
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
bundle-enable
dsl operating-mode auto
!
interface Dialer1
ip address negotiated
ip nat outside
ip flow ingress
encapsulation ppp
ip tcp adjust-mss 1400
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ********@********.********
ppp chap password 7 ********
ppp pap sent-username ********@********.******** password 7 ********
ppp ipcp dns request
ppp ipcp wins request
hold-queue 224 in
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 10.10.10.6 10022 interface Dialer1 10022
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
ip http server
ip http access-class 1
no ip http secure-server
!
access-list 1 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=16
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
banner login ^C ****** Welcome to Middle Earth ******^C
banner motd ^C
Logged on to: ARAGORN.
This system is not for unauthorised users.
All access is logged.....
^C
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
end
07-17-2007 03:40 PM
Hi,
that would be:
ip nat source static tcp
Then boast NetPro's power to the coworker :)
Hope this helps, please rate post if it does!
07-17-2007 04:40 PM
I must possibly amend my post above, because if your ISP is using PPPoE, you should put "dialer0" instead of ATM0, and if it is using "bridged 1483", you should put BVI1.
Basically, you put the interface that gets a public IP address one way or another !
07-17-2007 10:22 PM
Ok, when I attempt to enter that line, IOS complains about the 'Invalid input detected ...' right at the 'source' part. Doing the 'ip nat ?' gives me the following options;
Stateful
inside
log
outside
pool
service
translation
(I have tried 'inside' - probably wrong, but it does not work anyways).
? confused here (IOS 12.2(13)ZH2) - the connection is PPPoA(AAL5MUX) Dynamic IP - ATM0 shows 'no ip address' and Dialer1 is 'ip address negotiated'..... weep
07-17-2007 11:53 PM
Hi Rachel,
your statement should be:
ip nat inside source static tcp PrivateIP 10022 interface dialer 1 extendable
And review the access-list in the Dialer 1 to permit this traffic.
Regards,
Olaf
07-18-2007 12:47 AM
Thanks - Unfortunately in my 'tinkering' I have hardened the router to the extent that it's not accepting my telnet, ssh or SDM connections from the office - not a biggie as I will fix that when I get home tonight and then try your suggested nat setting.
Cheers - will let you know how it works out.
Rachel
07-18-2007 03:13 AM
Correct, my post wasn't made in full control of typing evidently. But NetPros still rule :)
07-18-2007 09:35 AM
Ok I have control of my router back (will return to hardening it later).
I have this entry now
ip nat inside source static tcp 10.10.10.6 10023 interface Dialer1 10023
and access-list 106 permit tcp any eq 10023 any eq 10023 log
It still does not function (and I have no cisco guy tonight to help me) - (not doing bad as this is my first time with cisco kit) : )
You mention review the access list for Dialer1 - I am unsure as to what I need to add to that (or do I need a new rule) and how to ensure that it is applied to my NAT rule above?
any hints please?
Rachel
07-18-2007 09:47 AM
It would help if you can post a sanitized copy of the full router configuration.
Anyway can you modify the following entry in access list 106 to as follows and test.
access-list 106 permit tcp any any eq 10023 log
HTH
Sundar
07-18-2007 10:05 AM
:( sorry to be such a burden, but none of the above (and below) statements are working :(
Here is my config (sanitised):
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxx
!
logging queue-limit 100
no logging buffered
enable secret 5 ********
!
username ******** privilege 15 password 7 ********
username ******** privilege 15 password 7 ********
username ******** privilege 15 secret 5 ********
username ******** privilege 15 secret 5 ********
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
ip domain name middleearth.org
ip name-server 195.x.x.66
ip name-server 195.x.x.6
ip dhcp excluded-address 10.10.10.25
ip dhcp excluded-address 10.10.10.1 10.10.10.29
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.40 10.10.10.254
ip dhcp excluded-address 10.10.10.21
!
ip dhcp pool CLIENT
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 195.x.x.66
lease 0 2
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description $ETH-LAN$
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip tcp adjust-mss 1400
hold-queue 100 out
!
interface ATM0
no ip address
ip access-group 100 in
no atm traffic-shaping
no atm cell-clumping-disable
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
bundle-enable
dsl operating-mode auto
!
interface Dialer1
ip address negotiated
ip nat outside
ip flow ingress
encapsulation ppp
ip tcp adjust-mss 1400
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ********@********.********
ppp chap password 7 ********
ppp pap sent-username ********@********.******** password 7 ********
ppp ipcp dns request
ppp ipcp wins request
hold-queue 224 in
!
ip nat pool sshforward 10.10.10.6 10.10.10.6 netmask 255.255.255.252
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 10.10.10.6 10023 interface Dialer1 10023
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
ip http server
ip http access-class 1
no ip http secure-server
!
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 99 remark SDM_ACL Category=2
access-list 99 permit any log
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host ***.***.***.*** any
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=16
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 106 permit ip 10.10.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map forwardssh permit 10
match ip address 103
set ip next-hop 10.10.10.9
!
banner login ^C ****** Welcome to Middle Earth ******^C
banner motd ^C
Logged on to: ARAGORN.
This system is not for unauthorised users.
All access is logged.....
^C
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 101 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
end
I can see now why my cisco guy was pulling his hair out last night lol
07-18-2007 09:49 AM
Hi,
You should have another stamente like:
ip nat inside source list 106 dialer1 overload
Correct ? That would be allowing access to internet from inside to outside.
if so please change ACL as:
no access-list 106
access-list 106 permit ip 10.10.10.0 0.0.0.255 any
07-18-2007 10:02 AM
Hi Rachel,
Do you advice that your statements are for port 10023?
In your first post you talk about port 10022?
Anyway...
Can you post your running config?
# show running-config
In your interface dialer 1, you can see an entry:
ip access-group
?
This number is the access-list that is applied on interface dialer 1.
You should copy your actual access-list from your running-config to notepad and insert an statement at beggining:
access-list
Now, copy all statements from notepad (with new insterted). Delete your actual access-list
(conf)# no access-list
and paste the clipboard checking that the last statement is inserted pressing Enter.
Regards,
Olaf
07-18-2007 10:19 AM
Try with this. Obviously you need to put usernames and passwords...
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ARAGORN
!
logging queue-limit 100
no logging buffered
enable secret 5 ********
!
username ******** privilege 15 password 7 ********
username ******** privilege 15 password 7 ********
username ******** privilege 15 secret 5 ********
username ******** privilege 15 secret 5 ********
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
ip domain name middleearth.org
ip name-server 195.244.192.66
ip name-server 195.244.192.6
ip dhcp excluded-address 10.10.10.25
ip dhcp excluded-address 10.10.10.1 10.10.10.29
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.40 10.10.10.254
ip dhcp excluded-address 10.10.10.21
!
ip dhcp pool CLIENT
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 195.244.192.66
lease 0 2
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description $ETH-LAN$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1400
hold-queue 100 out
!
interface ATM0
no ip address
no atm traffic-shaping
no atm cell-clumping-disable
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
bundle-enable
dsl operating-mode auto
!
interface Dialer1
ip address negotiated
ip nat outside
ip flow ingress
encapsulation ppp
ip tcp adjust-mss 1400
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ********@********.********
ppp chap password 7 ********
ppp pap sent-username ********@********.******** password 7 ********
ppp ipcp dns request
ppp ipcp wins request
hold-queue 224 in
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 10.10.10.6 10022 interface Dialer1 10022
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
ip http server
ip http access-class 1
no ip http secure-server
!
access-list 1 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=16
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
banner login ^C ****** Welcome to Middle Earth ******^C
banner motd ^C
Logged on to: ARAGORN.
This system is not for unauthorised users.
All access is logged.....
^C
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
end
07-18-2007 10:38 AM
Hmmmm the plot thickens....
I have applied this config and the router has reloaded ok. I am still unable to reach my inside machine.
Upon nosing a little through your changes, I went to see what access-group 100 was and found that it does not exist on my router!
how on earth can I put it back in (or should I do a factory reset and then apply this config again?)
thanks (You guys are all ANGELS and uber-techs for replying so quick and having patience thus far) x x x
Rachel
07-18-2007 10:53 AM
I saw that no access-group is applied in dialer 1. Don't worry, security later.
Can you put the output of:
show ip nat translations
Can you access ssh to your server from the inside network at port 10022?
Regards,
Olaf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide