Cannot SSH/telnet into the router

[kunz12]

Guys - below is the config of my lab router. Very simple config but I cannot SSH/Telnet/Ping my router IP address from outside. However, when I remove "ip nat outside" statement from Interface Gig 0/0, I can SSH/Telnet/Ping my router IP address from outside. However, when I do this, I can no longer connect to the Internet from my lab machine.

Any thoughts or ideas as to why this is happening? I even created a nat pool instead of overloading the Gig 0/0 interface address. That did not help.

Current configuration : 1512 bytes
!
version 12.4
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname LAB_ROUTER
!
boot-start-marker
boot-end-marker
!
! card type command needed for slot/vwic-slot 0/3
enable secret 5 $1$cB1w$9gaXgVqJpJ9yJ48rAQLgJ/
!
no aaa new-model
!
resource policy
!
!
!
ip cef
!
!
ip domain name test.local
ip ssh time-out 30
!
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username ksarin password 7 13041511355D55797F
!
!
!
!
!
!
!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/0
ip address 99.99.99.139 255.255.255.248
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 99.99.99.142
!
!
no ip http server
no ip http secure-server
ip nat pool NATPOOL 99.99.99.140 99.99.99.141 netmask 255.255.255.248
ip nat inside source list 111 pool NATPOOL overload
!
access-list 111 permit ip any any
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login local
terminal-type monitor
transport input telnet ssh
line vty 5 15
login local
terminal-type monitor
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

 

[burtsbees]

There is no access-list 111...

ip nat inside source pool NATPOOL int g0/0 overload
and put the ip nat out back on the interface, and ip nat in on int g0/1, not the subinterfaces...
You need crypto key gen rsa and ip domain-name local for ssh to work...
Also, read this, and be careful what you post...

http://www.ifm.net.nz/cookbooks/passwordcracker.html

Burt

 

[kunz12]

The access-l 111 does exist.

Also, putting the "ip nat inside" on Gig 0/1 would not work the way I have setup my lab. The issue is really related to SSH per se. Like mentioned in the original post, the IP of the router cannot even be pinged from outside with "ip nat outside" statement applied to Gig 0/0.

Regarding level 7 passwords, those are modified, not what I have in my config!!!!

 

[burtsbees]

If you used one IP address rather than a pool, I bet you'd have better luck, even if it is only 2 addresses. Also, the ip nat inside goes on the interface, not subinterfaces.
I am blind...I see acl111 now...

Burt

 

[KwikNet]

Sorry if I didn't see this but I think you should apply that access-list 111 to int gi0/0. The pool is fine considering you're using the overload statement at the end but having 1 ip there would not make a difference. I think applying the ACL should do the trick for you.

int gi0/0
access-group 111 in