Hi,
We're configuring up a Cisco ISR4331.
Cisco IOS XE Software, Version 16.09.05
Cisco IOS Software [Fuji], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.9.5, RELEASE SOFTWARE (fc1)
It connects to the internet via an ISP provided PPP connection using a dialer interface (Dialer1).
We have an 'inside' interface configured with 'ip nat inside' & Dialer1 interface as 'ip nat outside'.
Outbound traffic is working fine - e.g. the LAN can get to the internet fine.
We can SSH to the router's LAN & loopback IP addresses from the LAN ('inside') but can't connect to the public IP (dialer1 IP address).
For testing (with nothing of importance connected to the 'inside') we removed any & all access-lists, but the issue remains. After all the troubleshooting, we've re-added access-lists, etc.
We noted in the 'sh ip nat translations' table, that we could see our connections in there, e.g. (where the router WAN Dialer1 public IP will be x.x.x.x & our public IP that we're connecting to the router from will be y.y.y.y):
test-rt1.wa#sh ip nat tran
Pro Inside global Inside local Outside local Outside global
tcp x.x.x.x:545 x.x.x.x:22 y.y.y.y:50828 y.y.y.y:50828
It always ends up showing as translated to internal on port 545!
NAT configuration:
ip access-list extended ACL-NAT-OUT
deny ip host y.y.y.y host x.x.x.x
permit ip any any
route-map NAT permit 10
match ip address ACL-NAT-OUT
ip nat inside source route-map NAT interface Dialer1 overload
When we remove NAT entirely (no ip nat inside source route-map NAT interface Dialer1 overload), we can connect without issue - SSH to x.x.x.x from y.y.y.y works!
It seems NAT is the issue but why is it being NAT to this port 545? There are no other NAT statements & we don't have any unusual config - this is a very basic router config from scratch. Previous to using a route-map in the NAT statement, we used a 'list' which was the ACL-NAT-OUT, but tried with route-map in case it was treated differently. Tested with & without the deny line for the ACL-NAT-OUT access-list.
We thought maybe we need a static one-to-one NAT from x.x.x.x:22 to x.x.x.x:22 so that it doesn't go to x.x.x.x:545 but if we try to apply the NAT command, it says:
test-rt1.wa(config)#ip nat inside source static tcp x.x.x.x 22 interface di1 22
%Port 22 is being used by system
test-rt1.wa(config)#ip nat inside source static tcp x.x.x.x 22 x.x.x.x 22
%Port 22 is being used by system
test-rt1.wa(config)#
We've tried everything from 'crypto key zeroize ...', clearing the translation table.
We were able to apply the above NAT command after shutting the Dialer1 interface & now the NAT table shows as expected - but we still cannot connect (yes, we did unshut the Dialer after applying the command in case you were wondering!).
test-rt1.wa# sh ip nat tran
Pro Inside global Inside local Outside local Outside global
tcp x.x.x.x:22 x.x.x.x:22 --- ---
tcp x.x.x.x:22 x.x.x.x:22 y.y.y.y:51582 y.y.y.y:51582
Previously (prior to adding this NAT command), we would see a log showing the connection allowed (example below) but then (with the NAT to port 22 config in place) we don't see a log hit at all!
%SEC-6-IPACCESSLOGP: list vty-acl permitted tcp y.y.y.y(33968) -> y.y.y.y (22), 1 packet
!~~~ It must be noted that the log actually shows a weird reversal of the IP, e.g if the log was for IP address 1.2.3.4, the log looks like this:
%SEC-6-IPACCESSLOGP: list vty-acl permitted tcp 1.2.3.4(33968) -> 4.3.2.1(22), 1 packet
Our current workaround is to use a DMVPN back to our management infrastructure & then we can SSH directly to the 'local' loopback of the router. It would be nice to be able to allow SSH from our specific public IP addresses so in the event that our DMVPN tunnel goes down for any reason, we can still remotely manage the device.
Any assistance will be greatly appreciated.
Cheers in advance!
