03-18-2021 03:10 AM
Hi,
We're configuring up a Cisco ISR4331.
Cisco IOS XE Software, Version 16.09.05 Cisco IOS Software [Fuji], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.9.5, RELEASE SOFTWARE (fc1)
It connects to the internet via an ISP provided PPP connection using a dialer interface (Dialer1).
We have an 'inside' interface configured with 'ip nat inside' & Dialer1 interface as 'ip nat outside'.
Outbound traffic is working fine - e.g. the LAN can get to the internet fine.
We can SSH to the router's LAN & loopback IP addresses from the LAN ('inside') but can't connect to the public IP (dialer1 IP address).
For testing (with nothing of importance connected to the 'inside') we removed any & all access-lists, but the issue remains. After all the troubleshooting, we've re-added access-lists, etc.
We noted in the 'sh ip nat translations' table, that we could see our connections in there, e.g. (where the router WAN Dialer1 public IP will be x.x.x.x & our public IP that we're connecting to the router from will be y.y.y.y):
test-rt1.wa#sh ip nat tran Pro Inside global Inside local Outside local Outside global tcp x.x.x.x:545 x.x.x.x:22 y.y.y.y:50828 y.y.y.y:50828
It always ends up showing as translated to internal on port 545!
NAT configuration:
ip access-list extended ACL-NAT-OUT deny ip host y.y.y.y host x.x.x.x permit ip any any route-map NAT permit 10 match ip address ACL-NAT-OUT ip nat inside source route-map NAT interface Dialer1 overload
When we remove NAT entirely (no ip nat inside source route-map NAT interface Dialer1 overload), we can connect without issue - SSH to x.x.x.x from y.y.y.y works!
It seems NAT is the issue but why is it being NAT to this port 545? There are no other NAT statements & we don't have any unusual config - this is a very basic router config from scratch. Previous to using a route-map in the NAT statement, we used a 'list' which was the ACL-NAT-OUT, but tried with route-map in case it was treated differently. Tested with & without the deny line for the ACL-NAT-OUT access-list.
We thought maybe we need a static one-to-one NAT from x.x.x.x:22 to x.x.x.x:22 so that it doesn't go to x.x.x.x:545 but if we try to apply the NAT command, it says:
test-rt1.wa(config)#ip nat inside source static tcp x.x.x.x 22 interface di1 22 %Port 22 is being used by system test-rt1.wa(config)#ip nat inside source static tcp x.x.x.x 22 x.x.x.x 22 %Port 22 is being used by system test-rt1.wa(config)#
We've tried everything from 'crypto key zeroize ...', clearing the translation table.
We were able to apply the above NAT command after shutting the Dialer1 interface & now the NAT table shows as expected - but we still cannot connect (yes, we did unshut the Dialer after applying the command in case you were wondering!).
test-rt1.wa# sh ip nat tran Pro Inside global Inside local Outside local Outside global tcp x.x.x.x:22 x.x.x.x:22 --- --- tcp x.x.x.x:22 x.x.x.x:22 y.y.y.y:51582 y.y.y.y:51582
Previously (prior to adding this NAT command), we would see a log showing the connection allowed (example below) but then (with the NAT to port 22 config in place) we don't see a log hit at all!
%SEC-6-IPACCESSLOGP: list vty-acl permitted tcp y.y.y.y(33968) -> y.y.y.y (22), 1 packet !~~~ It must be noted that the log actually shows a weird reversal of the IP, e.g if the log was for IP address 1.2.3.4, the log looks like this: %SEC-6-IPACCESSLOGP: list vty-acl permitted tcp 1.2.3.4(33968) -> 4.3.2.1(22), 1 packet
Our current workaround is to use a DMVPN back to our management infrastructure & then we can SSH directly to the 'local' loopback of the router. It would be nice to be able to allow SSH from our specific public IP addresses so in the event that our DMVPN tunnel goes down for any reason, we can still remotely manage the device.
Any assistance will be greatly appreciated.
Cheers in advance!
Solved! Go to Solution.
03-18-2021 03:45 AM
Hi @crazycatman,
"permit ip any any" in NAT is never recommended. change your NAT access-list to specify the source subnets like the following:
ip access-list extended ACL-NAT-OUT
deny ip host y.y.y.y host x.x.x.x
no permit ip any any
permit ip <LAN subnet> <wildcard mask> any
***Please rate all helpful posts***
03-18-2021 03:45 AM
Hi @crazycatman,
"permit ip any any" in NAT is never recommended. change your NAT access-list to specify the source subnets like the following:
ip access-list extended ACL-NAT-OUT
deny ip host y.y.y.y host x.x.x.x
no permit ip any any
permit ip <LAN subnet> <wildcard mask> any
***Please rate all helpful posts***
03-18-2021 07:10 PM - edited 03-18-2021 07:26 PM
This did the trick! Many thanks. Rated & accepted as solution.
NAT configuration is now as follows & remote access via Dialer1 IP is working (obviously security policy to restrict accesses in place):
ip access-list extended ACL-NAT
remark DO NOT ADD "log" TO ANY ACE IN THIS ACL, IT WILL CAUSE NAT FAILURE
permit ip host lo.lo.lo.lo any <<< Loopback interface
permit ip 10.1.1.0 0.0.0.255 any <<< LAN Data subnet
permit ip a.a.a.a m.m.m.m any <<< Other subnet that needs internet
deny ip any any
ip nat inside source list ACL-NAT interface Dialer1 overload
03-19-2021 02:39 AM
You are welcome. Good thing is that we are to figure out the issue.
!!! Stay Safe !!!
***Please rate all helpful posts***
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide