NAT, ACL, and SSH - Can't SSH when NAT statement is in effect

Grant Serbousek · ‎03-17-2013

I'm having issues with:

1) I can't get to the internet from a host (11.1.1.3) connected to SW-02-C2950G

2) I can't ssh from a client connected to the Airport Extreme. This used to work but when I enacted NAT I lost the ability to SSH.

3) From a device on the 10.1.1.0 network I can't ping any host/interfaces on (or ssh into) devices beyond RTR-01-2611XM.

Notes:

A) I can ping from host 11.1.1.3 to the verizon router (10.1.1.2)

B) When I remove my nat statement "ip nat inside source list 101 pool amernat10 overoad" I lose the ability to ping 10.1.1.2 from the client, but I can ssh into RDR-01-2611XM.

C) I am frustrated because I know it is something small and silly I am missing.

Device Configurations are attached or pasted below: Please help. Thanks!

!
! No configuration change since last restart
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SW-02-C2950G
!
logging buffered 51200 warnings
aaa new-model
aaa authentication login default local
enable secret
!
username admin privilege 15 secret
clock timezone Eastern -5
ip subnet-zero
!
ip domain-name serhome.com
ip name-server 10.1.1.2
ip ssh time-out 120
ip ssh authentication-retries 3
ip ssh version 2
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/2
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/3
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/4
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/5
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/6
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/7
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/8
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/9
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/10
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/11
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/12
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/13
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/14
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/15
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/16
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/17
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/18
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/19
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/20
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/21
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/22
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/23
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/24
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
description VLAN1 MANAGEMENT VLAN
ip address 11.1.1.250 255.255.255.0
no ip route-cache
!
ip default-gateway 10.1.1.2
ip http server
banner login
******************************WARNING******************************

This is a privately owned system. If you have not been given
specific authorization to log on to this system, exit immediately.

******************************WARNING******************************

banner motd
This is a privately owned system. If you have not been given
specific authorization to log on to this system, exit immediately.

!
line con 0
session-timeout 120 output
exec-timeout 120 0
privilege level 15
logging synchronous
line vty 0 4
session-timeout 120 output
exec-timeout 120 0
privilege level 15
logging synchronous
transport input ssh
line vty 5 15
session-timeout 120 output
exec-timeout 120 0
logging synchronous
!
ntp clock-period 17179876
ntp server 10.1.1.241
!
end

------------------------------

!
! Last configuration change at 19:12:34 EST Sun Mar 17 2013 by admin
! NVRAM config last updated at 19:12:43 EST Sun Mar 17 2013 by admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RTR-04-2611XM
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret
!
aaa new-model
!
!
aaa authentication login default local
!
!
aaa session-id common
clock timezone EST -5
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 11.1.1.200 11.1.1.254
!
ip dhcp pool america11
   import all
   network 11.1.1.0 255.255.255.0
   dns-server 10.1.1.2
   default-router 11.1.1.251
!
!
ip domain name serhome.com
ip name-server 10.1.1.2
ip ssh version 2
!
multilink bundle-name authenticated
!
!
!
!
!
username admin privilege 15 secret
!
vlan internal allocation policy ascending
!
!
!
!
!
interface FastEthernet0/0
ip address 11.1.1.251 255.255.255.0
speed 100
full-duplex
!
interface Serial0/0
no ip address
shutdown
!
interface BRI0/0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0/1
ip address 172.16.66.246 255.255.255.252
speed 100
full-duplex
!
router eigrp 100
network 10.0.0.0
network 11.0.0.0
network 172.16.0.0
network 192.168.10.0
auto-summary
!
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
banner login
******************************WARNING******************************

This is a privately owned system. If you have not been given
specific authorization to log on to this system, exit immediately.

******************************WARNING******************************

banner motd
This is a privately owned system. If you have not been given
specific authorization to log on to this system, exit immediately.

!
line con 0
privilege level 15
logging synchronous
login ctrlc-disable
line aux 0
line vty 0 4
session-timeout 120 output
exec-timeout 120 0
privilege level 15
logging synchronous
login ctrlc-disable
transport input ssh
line vty 5 15
session-timeout 120 output
exec-timeout 120 0
logging synchronous
login ctrlc-disable
!
ntp clock-period 17207966
ntp server 10.1.1.241
!
end

Reza Sharifi · ‎03-17-2013

On the switch you have this config:

interface Vlan1

description VLAN1 MANAGEMENT VLAN

ip address 11.1.1.250 255.255.255.0

no ip route-cache

!

ip default-gateway 10.1.1.2

Why the default gateway is 10.1.1.2, while it should be 11.1.1.251 (RTR-4-2611XM)

The ip default gateway should be pointing to the next hop router which is 11.1.1.251

HTH

Grant Serbousek · ‎03-18-2013

Thanks for the reply, but this did not help.