Telnet and SSH stopped working after configuring static NAT on router

djulien357 · ‎03-26-2013

Hi everyone,

I am having weird problem with my edge routers .Everything was working perfectly before I configured NAT forwarding but stopped allowing incoming telnet and ssh sessions from the internet the second it was implemented . I have added an access-list allowing telnet and ssh to the interface facing the internet but no go , I turned on debug and tried telnetting to the router but for some reason the router is still not allowing the session even though an access-list is allowing telnet and ssh so therefore debug is not reporting anything being initiated . Anyone experienced a simailar problem like that before ?

cadet alain · ‎03-26-2013

Hi,

did you NAT forward the telnet and ssh traffic leaving the external port as default ? in which case can you modify your static PAT using another port as external port and tell us if it works after.

Regards

Alain

Don't forget to rate helpful posts.

djulien357 · ‎03-26-2013

Hi Alain,

Thank you for the reply .Before posting my question I did try doing a NAT forward to the inside interface using port 1022 and 1023 on the WAN interface (outside) forwarding to port 22 and 23 on the LAN interface (inside), I evenned try to forward it to a loopback interface as well but no joy. That's why I decided to write the ACLs . Again this is a weird one.

cadet alain · ‎03-26-2013

Hi,

could you post your sanitized config ?

Regards

Alain

Don't forget to rate helpful posts.

Richard Burts · ‎03-26-2013

I agree with Alain that it would help if we could see the config. In particular I am interested in how the address translation was set up and whether it uses an extended access list that permits something to any. I have seen situations where telnet and SSH access was impacted when address translation used an ACL that included the any parameter in the permit statement.

HTH

Rick

HTH

Rick

djulien357 · ‎03-26-2013

Ok guys,

Below is the config but I had to change the ip addresses for security purposes but this should still give you an idea on how the router is configured .

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname XXX-RTR01-A

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$Dnm5$VdB8npWyjSfkt4zu/Xxgx.

!

no aaa new-model

!

dot11 syslog

ip source-route

!

ip cef

!

ip domain name xxxx.com

ip name-server 1.1.1.1

login block-for 180 attempts 4 within 60

login delay 5

login quiet-mode access-class telnet_access

no ipv6 cef

multilink bundle-name authenticated

!

ip ssh version 2

!

user device admin privilege 15 secret @@@@@@@@@

!

voice-card 0

!

crypto pki token default removal timeout 0

!

archive

log config

hidekeys

vtp mode transparent

!

track 1 ip sla 1 reachability

!

class-map match-any voice

match protocol h323

!

policy-map voice

class voice

set dscp ef

!

interface FastEthernet0/0

description uplink to Cbeyond Internet

ip address 163.215.76.181 255.255.255.240

ip nat outside

ip virtual-reassembly in

duplex full

speed auto

service-policy output voice

!

interface FastEthernet0/1

description uplink Charter Internet

ip address 204.108.10.69 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex full

speed auto

!

interface FastEthernet0/0/0

description Inside LAN

ip address 1.1.1.1 255.255.255.224

ip nat inside

ip virtual-reassembly in

ip policy route-map Miami

duplex full

speed auto

!

ip local policy route-map business_app_failover

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source static udp 1.1.1.5 500 interface FastEthernet0/0 500

ip nat inside source static udp 1.1.1.5 4500 63.215.76.186 4500 extendable

ip nat inside source route-map cbeyond interface FastEthernet0/0 overload

ip nat inside source route-map charter interface FastEthernet0/1 overload

ip nat inside source static tcp 1.1.1.10 21 163.215.76.182 21 extendable

ip nat inside source static tcp 1.1.1.10 80 163.215.76.182 80 extendable

ip nat inside source static tcp 1.1.1.10 443 163.215.76.182 443 extendable

ip nat inside source static tcp 1.1.1.11 443 163.215.76.183 443 extendable

ip nat inside source static tcp 1.1.1.12 80 163.215.76.184 80 extendable

ip nat inside source static tcp 1.1.1.13 80 163.215.76.185 80 extendable

ip nat inside source static tcp 1.1.1.13 8000 163.215.76.185 8000 extendable

ip nat inside source static tcp 1.1.1.5 25 163.215.76.186 25 extendable

ip nat inside source static tcp 1.1.1.5 110 163.215.76.186 110 extendable

ip nat inside source static tcp 1.1.1.5 22 163.215.76.186 1022 extendable

ip nat inside source static tcp 1.1.1..5 10000 163.215.76.186 10000 extendable

ip nat inside source static tcp 1.1.1.16 80 163.215.76.188 80 extendable

ip nat inside source static tcp 1.1.1.16 443 163.215.76.188 443 extendable

ip nat inside source static tcp 1.1.1.17 443 163.215.76.189 443 extendable

ip route 0.0.0.0 0.0.0.0 163.215.76.81 track 1

ip route 0.0.0.0 0.0.0.0 204.108.10.69 20

!

ip access-list standard telnet_access

permit 1.1.1.5

permit 1.1.1.30

permit 216.7.100.92

!

ip access-list extended business-app

permit ip host 1.1.1.5 any

ip access-list extended router-f

permit ip any any

ip access-list extended users-traffic

permit ip host 1.1.1.30 any

!

ip sla 1

icmp-echo 8.8.8.8 source-interface FastEthernet0/0

threshold 2

ip sla schedule 1 life forever start-time now

logging esm config

access-list 110 permit ip 1.1.0.0 0.0.255.255 any

!

route-map Miami permit 10

match ip address business-app

set ip next-hop 163.215.76.181

!

route-map Miami permit 20

match ip address users-traffic

set ip next-hop 204.108.10.69

!

route-map Miami permit 30

!

route-map business_app_failover permit 10

match ip address router-f

set ip next-hop verify-availability 8.8.8.8 10 track 1

set ip next-hop 204.108.10.69

!

route-map cbeyond permit 10

match ip address 110

match interface FastEthernet0/0

!

route-map charter permit 10

match ip address 110

match interface FastEthernet0/1

!

control-plane

!

mgcp profile default

!

line con 0

line aux 0

line vty 0 4

access-class telnet_access in

password 7 xxxxxxxxxxxxxxx

login

transport input all

!

scheduler allocate 20000 1000

ntp update-calendar

ntp server 98.175.203.200

end

Richard Burts · ‎03-26-2013

Here is the access list that you are using for address translation

access-list 110 permit ip 1.1.0.0 0.0.255.255 any

I suggest that you change it and make it a standard access list, perhaps

access-list 10 permit 1.0.0.0 0.0.255.255

and then change both route maps cbeyond and charter to match ip address 10.

Give it a try and let us know if it makes any difference.

HTH

Rick

HTH

Rick

djulien357 · ‎03-27-2013

I tried changing the access-list and update the route-map as suggested but still no go . I am still unable to telnet or ssh to the device .

Richard Burts · ‎03-27-2013

In taking another look at the config I notice that your access list telnet_access is permitting only 3 hosts (of which 2 appear to be inside and 1 appears to be outside). I wonder if this is part of your issue. As a way to investigate I suggest that you add a line to the access list so that it would look like this

p access-list standard telnet_access

permit 1.1.1.5

permit 1.1.1.30

permit 216.7.100.92

deny any log

I would also ask whether the problem is affecting telnet and ssh from sources inside the network or outside of the network or both?

And a copy of the updated config might be helpful.

HTH

Rick

HTH

Rick

djulien357 · ‎03-27-2013

Correct me if I am wrong the explicit deny in the access-list will deny anything else that do not match those 3 hosts in the

telnet_access list therefore adding deny any log will not make a difference . Those 3 hosts are the only one by design that should be able to access the router . They worked before without any problems but stopped working the second I configured the NAT forwarding statements.

Richard Burts · ‎03-27-2013

Yes if those 3 hosts are intentionally the only hosts allowed telent or SSH access then adding the deny statement in the ACL would have no effect (other than to demonstrate if someone else did attempt access).

Does it make any difference in the problem whether the telnet/SSH request comes from inside the network or outside? Does it make any difference in the problem if the telnet/SSH request is to an outside facing interface or the inside facing interface?

HTH

Rick

HTH

Rick

djulien357 · ‎03-27-2013

Yes it does . I only want to allow telnet and ssh access to two workstations on the local network and to my remote home office just in case I have to access the router remotely (backdoor) in case of the firewalls behind those routers fail without having to use VPN. The access-class statement under the line vty should allow access either way. Thats why I said it was a weird problem.

Shaun Stokes · ‎06-30-2015

Hi,

Was this ever resolved?

We often have situations where route-maps are requires on 1-1 NAT translations to forward a range of specific ports to a certain local IP address. Please see below for an example of our configuration, IP addresses have been masked for security purposes.

ip nat inside source static 1.0.0.1 2.2.2.1 route RTP ext

access-list 131 permit udp host 1.0.0.1 any range 10020 10532

route-map RTP permit 10
match ip address 131

In all instances where this is used we're unable to access the routers via telnet or SSH using the public interface (2.2.2.1) as soon as the route-map is applied.

Thanks,

Shaun

Shaun Stokes · ‎06-30-2015

We've found a work around, creating specific NAT translations to an internal interface for the ports which need to be externally accessible on the Cisco, before we create the 1-1 NAT using a route-map resolves the issue.

cadet alain · ‎03-27-2013

Hi,

could you try with this local PBR disabled like this :

no ip local policy route-map business_app_failover.

Regards

Alain

Don't forget to rate helpful posts.