In a cisco rtr and switch you can change ssh to answer on a different port through such features as port-map and rotary commands.
If your server can be changed to answer ssh on a different port then port forwarding via a NAT statement can be accomplish just like you already have applied but obviously with a different specified port.
... View more
A couple things:
Your access-list changed when you moved it back to G0/0. It should remain:
access-list 100 permit ip host 192.168.183.220 host 126.96.36.199
The fact that you are NATing is also an issue. Any traffic from the 11.0.10.x/24 or 11.0.20.x/24 to 192.168.183.220 is NATed to the G0/0 IP. So the likelihood of 192.168.183.220 seeing any packets from the 11.x.x.x networks is not going to happen. Policy routing may work to the 188.8.131.52, but the return gets NATed and probably gets dropped. If you omit 184.108.40.206 from the NAT it may work.
Better still, if possible, remove the NAT altogether and verify if PBR is working.
Hope that makes sense.
... View more
Hello paul, thank you for replying, I decided to change configuration. what i am trying to do is use policy based routing to reroute the specific traffic going to 220.127.116.11 to 18.104.22.168 using the known source ip! which at this stage is 192.168.1.5 255.255.255.0
version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname RHome ! boot-start-marker boot-end-marker ! enable secret 5 $1$1SeR$LgRp8TxZH2nT5zLFXBwk/. ! no aaa new-model ip cef ! ! ! ! ip domain name cisco.com ! ! ! username R1 password 0 david ! ! controller DSL 0/0/0 line-term cpe ! ! ! ! interface FastEthernet0/0 ip address dhcp // 192.168.1.4 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1 no ip address duplex auto speed auto ! interface FastEthernet0/1.1 encapsulation dot1Q 10 ip address 22.214.171.124 255.255.255.0 ip nat inside ip virtual-reassembly ! interface FastEthernet0/1.2 encapsulation dot1Q 20 ip address 126.96.36.199 255.255.255.0 ip nat inside ip virtual-reassembly ip policy route-map hon ! ip route 0.0.0.0 0.0.0.0 192.168.1.1 ! ! no ip http server no ip http secure-server ip nat inside source list 101 interface FastEthernet0/0 overload ip nat inside source static tcp 188.8.131.52 22 192.168.1.4 22 route-map hon extendable ! access-list 101 permit ip 184.108.40.206 0.0.0.255 any access-list 101 permit ip 220.127.116.11 0.0.0.255 any access-list 110 permit ip host 192.168.1.5 any ! route-map hon permit 10 match ip address 110 set ip next-hop 18.104.22.168 ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 login local transport input ssh ! scheduler allocate 20000 1000 end
as you can see in a nat i have one to one PAT from my server and and my gateway to outside world. and i am trying to implement PBR so, traffic with source ip address of 192.168.1.5 will be sent to my second server 22.214.171.124!
thanks for your time guys :))
... View more
sorry for disturbing you, my name is David, I am doing my final project on network security and i am having problems with NAT and policy based routing.
I am using only 1 cisco router(2901) basic switch and 2 servers.
Outside network is 192.168.183.0 which connects Our G0/0 (ip address 192.168.183.51) g0/1=126.96.36.199
Server 1 = 188.8.131.52
Server 2 = 184.108.40.206
we want ssh packets sent from client computer 192.168.183.220 to be sent to Server 2 (220.127.116.11)
and we want packets sent from 192.168.183.53 to be sent to server 1(18.104.22.168)
Problem we having is we don't know how to do port translation on multiple ip addresses. So different ip address can ssh into different server.
we tried multiple different types of configurations but nothing seems to be working.
at this stage we are stuck on this config:
ip nat inside source static tcp 22.214.171.124 22 int g0/0 22
ip nat inside source static tcp 126.96.36.199 22 192.168.183.51 22 route-map honR extendable
ip access-list etended hon
permit ip host 192.168.183.53 host 192.168.183.51
Route-map honR permit 10
match ip address hon
((with this configuration client 192.168.183.53 can ssh inside 188.8.131.52(using 192.168.183.51) but when we try to make client 192.168.183.220 to ssh inside 184.108.40.206(using 192.168.183.51) it still takes us to 220.127.116.11. I feel like ACL/ROute map isn't being used and it just static 1:1 Port forwarding.
Please help :)))
... View more