Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1109
Views
2
Helpful
2
Replies

Does anyone else have trouble with PAT of SSH (Tcp port 22)?

thomasdzubin
Level 1
Level 1

‎12-06-2007 08:46 AM - edited ‎03-05-2019 07:51 PM

(this is dup. of a message that I posted in the WAN forum, but perhaps this is a better forum to ask in...)

I have two routers, one with a public IP (xxx.xx.xx.23) WAN port and the second one with a private IP connected up to the first router. I want to set up PAT on the first router so I can SSH to the second router. Since I already SSH to the first router, I thought I'll just pick some other port number other than 22 and do a port translation with a "ip nat inside source static" config line doing a TCP port translation from port 2222 to 22 SHOULD work, but it doesn't. (I'm using PuTTY as a client and I can change the port used to whatever I want).

This is in a test environment, I don't have any access-lists or anything else which might be blocking either port 22 or my (arbitrarily picked) port 2222

If I TELNET to my first router and set up my "ip nat inside source static" config to do port 22 to port 22, it works, but port 2222 to port 22 does not work. Very odd.

-----------------------------------------

Router 1 config:

!

! Last configuration change at 10:24:22 MST Wed Dec 5 2007 by thomasdzubin

! NVRAM config last updated at 13:45:17 MST Thu Nov 29 2007 by thomasdzubin

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname temp192168

!

boot-start-marker

boot-end-marker

!

logging buffered 100000

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx

!

no aaa new-model

clock timezone MST -7

clock summer-time MDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

ip cef

!

!

ip domain name fping.com

!

!

username thomasdzubin secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description WAN link (public IP address)

ip address xxx.xx.xx.23 255.255.255.128

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Vlan1

description inside LAN address

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip route 0.0.0.0 0.0.0.0 xxx.xx.xx.1

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.1.99 22 xxx.xx.xx.23 2222 extendable

!

access-list 1 permit 192.168.1.0 0.0.0.255

!

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

exec-timeout 60 0

login local

transport input telnet ssh

!

scheduler max-task-time 5000

end

-----------------------------------------

Router2 config:

MyRouter#show run

Building configuration...

Current configuration : 877 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname MyRouter

!

boot-start-marker

boot-end-marker

!

logging buffered 99999

!

no aaa new-model

ip cef

!

!

no ip domain lookup

ip domain name router.local

!

!

!

!

!

username router privilege 15 password 0 router

!

!

!

!

!

!

interface Loopback0

no ip address

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

no ip address

shutdown

duplex auto

speed auto

!

interface Vlan1

ip address 192.168.1.99 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 192.168.1.1

!

no ip http server

no ip http secure-server

!

!

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

login local

transport input telnet ssh

!

scheduler max-task-time 5000

end

Labels:
0 Helpful
2 Replies 2

lgijssel
Level 9
Level 9

‎12-06-2007 09:35 AM

Interesting problem, well documented too.

My feeling is that this has to do with PAT for the entire subnet running on the router also. In my opinion there are two possible solutions (or things to try)

1: The public subnet is a /25. This leaves plenty of adress space so there is no need to use the first router's interface ip for this.

You can simply pat tcp port 22 with source ip (XX+1) to tcp 192.168.1.99 22. This should certainly work and besides, I dislike configuring a combination of static and dynamic PAT on the same interface ip because it can deliver odd results. I believe this case may well serve as an example for what I mean with that.

2: Your argument against the above might be that ip adress space is growing scarce and that you do not want to sacrifice a public ip for this. You might try what happens when you exempt 192.168.1.99 from global NAT. Modify acl 1 for as follows:

access-list 1 deny 192.168.1.99

access-list 1 permit 192.168.1.0 0.0.0.255

I know, (honestly) this should not make any difference but still my suggestion is that you give it a try. ;-)

Please let me know your results.

regards,

Leo

thomasdzubin
Level 1
Level 1
In response to lgijssel

‎12-06-2007 11:00 AM

Thanks, but the /25 subnet is actually only available at my own site where I've reproduced the problem with my test kit. My client that has the real problem only has one public IP, so unfortunately PAT is the only way to go. This is a really strange problem since I use PAT for all sorts of other services... it just fails on SSH so I think there must be something within the SSH protocol that just isn't translating.

0 Helpful
Customers Also Viewed These Support Documents