NAT ACL

[billyj1900]

When I add access-list 111 for NAT I cannot SSH from the outside. If I remove ACL 111 I can SSH but cannot NAT. I changed access-list 111 to "access-list 111 permit ip any X.X.X.X" which I am not able to NAT.

I need to be able to NAT and SSH from the outside into the network. A snap shot of the config is posted below. Can someone tell me what I am missing?


interface FastEthernet1/0
description outside interface
ip address X.X.X.X 255.255.254.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect fwout in
ip virtual-reassembly
duplex auto
speed auto
ntp broadcast
no cdp enable

interface FastEthernet1/1
description inside interface to SW1a fa1/0/23
ip address 192.168.1.5 255.255.255.252
ip pim sparse-mode
ip nat inside
ip inspect fwout in
ip virtual-reassembly
duplex auto
speed auto


ip nat inside source list 111 interface FastEthernet1/0 overload

access-list 111 permit ip any any

 

[brianinms]

What ip address are you trying to ssh to?

 

[billyj1900]

My outside interface address.

 

[burtsbees]

access-list 111 permit ip any X.X.X.X" is backwards, first of all---to NAT, you need "access-list 111 permit ip x.x.x.x any"

Second, we would need to see the entire config, acl's and all...is there a remote access VPN involved? Site to site VPN?
I'm thinking (in fact, I know) that a route-map would definitely work, but that is not the problem---just a simple extended acl would work, like...

access-list 101 permit tcp any X.X.X.X 255.255.254.0 eq 22 log
access-list 101 permit tcp any any established
(whatever else you need that is initiated from the outside---I also include many other ACE's to log them for the hell of it, and I also use route maps so that I can get granular with my RA VPN and to also see hits on the "deny ip any any" without having the "log" keyword on the end)
access-list 101 deny ip any any (log)---if you don't use a route map, and if you want to log the bad guys...

Please post a scrubbed ENTIRE config if you want more help.

/

Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)
Technical Support:

http://www.cisco.com/techsupport

Copyright (c) 1523-2010 by Cisco Systems, Inc.
Compiled Thu 11-Feb-1539 23:02 by ßµ®†Šß€€Š

ROM: System Bootstrap, Version 12.2(7r) [ÝØÝØMØÑ], RELEASE SOFTWARE (fc1)

Edge uptime is 469¼

 

[billyj1900]

Burtsbees,
I added access-list 101 and still cannot access the router through SSH from an external network.







Building configuration...

Current configuration : 8224 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot system flash:c3745-adventerprisek9_sna-mz.124-23a.bin
boot-end-marker
!
security authentication failure rate 5 log
security passwords min-length 10
no logging console
enable secret 5 $1$K1Ve$O.WIYuV/fvAxXM1bnGksy.
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate slot 3
voice-card 3
dspfarm
!
no ip source-route
no ip gratuitous-arps
ip cef
!
!
ip dhcp relay information trust-all
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1 192.168.10.10
!
ip dhcp pool data
network 192.168.10.0 255.255.255.0
dns-server 4.2.2.2
default-router 192.168.10.1
!
!
no ip bootp server
ip domain name pcrus.net
ip name-server 4.2.2.2
ip name-server 4.2.2.3
ip multicast-routing
ip inspect audit-trail
ip inspect max-incomplete low 400
ip inspect max-incomplete high 500
ip inspect one-minute low 400
ip inspect one-minute high 500
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 10
ip inspect name fwout tcp
ip inspect name fwout udp
ip inspect name fwout icmp
ip inspect name fwout esmtp
ip inspect name fwout pop3
ip inspect name fwout imap3
ip inspect name fwout dns
ip inspect name fwout ftp
ip inspect name fwout ntp
login on-failure log
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3249608318
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3249608318
revocation-check none
rsakeypair TP-self-signed-3249608318
!
!
crypto pki certificate chain TP-self-signed-3249608318
certificate self-signed 01
30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323439 36303833 3138301E 170D3130 31303039 31333031
30395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32343936
30383331 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009EF8 30DA64E1 E429E90B ECFF65D5 6C22632E 3D30487E E5BF2FA4 978A06A8
EFE649BA 6568CF26 7618034D 3487D9EB DD1AD56C A0088831 B688EC14 C0576680
C4AB37B6 8436B012 B2CBB24C 8F80D10C 23A556DB 2E7E0B9C 1FA3E4F3 1D8029D8
7FBDECFC 541ABD55 A80E93DC E9015B7F E3A49920 7E613F8A 9F7D2E00 AFEB3898
65810203 010001A3 6C306A30 0F060355 1D130101 FF040530 030101FF 30170603
551D1104 10300E82 0C52312E 70637275 732E6E65 74301F06 03551D23 04183016
8014741D AEB69F8E B9389AA3 9903462E BE7A0C09 8D90301D 0603551D 0E041604
14741DAE B69F8EB9 389AA399 03462EBE 7A0C098D 90300D06 092A8648 86F70D01
01040500 03818100 173611B2 CCBA1B21 2A7A3402 1C41B189 27600416 816394D9
4330DF1A 7483F1C2 43403B73 A114995A 328B468C A44F8C42 B556E80C EB60D56C
54159E1D 3137E50D 24AB4074 15CB1124 42699F1D 2A2EF784 9BE9BA7E DFE7B564
958D2A7E 3068A359 F9E48FC9 E9C65EA3 5C6EE754 BDBD12A6 537D504F 4350BCB1
A4AE7B59 1A484142
quit

!
controller T1 3/0
framing sf
linecode ami
!
controller T1 3/1
framing sf
linecode ami
!
!
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
ip pim sparse-mode
ip igmp join-group 239.1.1.1
!
interface Loopback1
ip address 173.16.22.3 255.255.255.255
!
interface Port-channel1
ip address 192.168.1.9 255.255.255.252
hold-queue 300 in
!
interface FastEthernet0/0
description inside interface to SW1a fa1/0/24
ip address 192.168.1.1 255.255.255.252
ip hello-interval eigrp 1 3
ip hold-time eigrp 1 6
ip pim sparse-mode
ip nat inside
ip inspect fwout in
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
description DMZ
ip address 172.16.0.1 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no cdp enable
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
interface Serial0/3
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
description outside interface
ip address XXX.XXX.XXX.XXX 255.255.254.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect fwout in
ip virtual-reassembly
duplex auto
speed auto
ntp broadcast
no cdp enable

!
interface Serial1/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/1
description inside interface to SW1a fa1/0/23
ip address 192.168.1.5 255.255.255.252
ip hello-interval eigrp 1 3
ip hold-time eigrp 1 6
ip pim sparse-mode
ip nat inside
ip inspect fwout in
ip virtual-reassembly
duplex auto
speed auto

!
interface Serial1/1
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet2/0
switchport access vlan 30
switchport voice vlan 20
spanning-tree portfast
!
interface FastEthernet2/1
no switchport
no ip address
shutdown
!
interface FastEthernet2/2
switchport access vlan 10
switchport voice vlan 20
shutdown
spanning-tree portfast
!
interface FastEthernet2/3
switchport access vlan 10
switchport voice vlan 20
shutdown
spanning-tree portfast
!
interface FastEthernet2/4
switchport access vlan 10
switchport voice vlan 20
shutdown
spanning-tree portfast
!
interface FastEthernet2/5
switchport access vlan 10
switchport voice vlan 20
shutdown
spanning-tree portfast
!
interface FastEthernet2/6
shutdown
!
interface FastEthernet2/7
shutdown
!
interface FastEthernet2/8
shutdown
!
interface FastEthernet2/9
switchport mode trunk
shutdown
!
interface FastEthernet2/10
shutdown
!
interface FastEthernet2/11
switchport mode trunk
shutdown
!
interface FastEthernet2/12
switchport mode trunk
shutdown
!
interface FastEthernet2/13
switchport mode trunk
!
interface FastEthernet2/14
no switchport
no ip address
!
interface FastEthernet2/15
no switchport
ip address 173.16.10.1 255.255.255.252
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip helper-address 192.168.10.1
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
!
interface Vlan30
ip address 192.168.30.2 255.255.255.0
standby 1 ip 192.168.30.1
standby 1 priority 150
!
interface Vlan999
no ip address
!
router eigrp 1
redistribute static
passive-interface Vlan10
network 10.1.1.0 0.0.0.255
network 192.168.1.0
default-metric 100000000 1000000000 255 255 15000
no auto-summary
!
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 173.16.10.0 0.0.0.255 area 0
network 173.16.0.0 0.0.255.255 area 0
!
ip route 0.0.0.0 0.0.0.0 74.234.132.1
!
!
no ip http server
ip http secure-server
ip pim rp-address 10.1.1.1
ip nat inside source list 1 interface FastEthernet1/0 overload

!
ip access-list extended OUTSIDE
permit ip any any
permit tcp any any
permit udp any any
!
access-list 101 permit tcp any 0.0.1.250 255.255.254.0 eq 22 log
access-list 101 permit tcp any any established
access-list 101 deny ip any any log
access-list 111 permit ip any any
!
!

!
!
control-plane
!
!
!
!
!
!
dial-peer cor custom
!
!
!
!
!
alias exec w wr mem
alias exec s sh run
!
line con 0
login local
line aux 0
line vty 0 4
login local
transport input ssh
line vty 5 16
login local
transport input ssh
!
ntp clock-period 17180424
!
end

R1#ter
R1#terminal le
R1#terminal length 50
R1#

 

[billyj1900]

I finally figured it out.

I needed static port mappings (static PAT). The following allows SSH to my routers via the new PATed address internal interface:



ip nat inside source static tcp 192.168.1.1 22 XXX.XXX.XXX.XXX
ip nat inside source static udp 192.168.1.1 22 XXX.XXX.XXX.XXX

I can now SSH to XXX.XXX.XXX.XXX (outside address)

Case closed.