05-21-2012 06:17:10 PM
I have a block of 8 static IPs, I have NAT setup and can use the Internet just fine, however, unless I disconnect the LAN cable to the router's inteface (effectively shutting it down) I cannot get to my 2621's http config interface page... additionally, I cannot ssh into the PC but we can take this one step at a time... here's my config:
Current configuration : 1045 bytes
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
enable secret 5 hooey
memory-size iomem 10
no aaa new-model
ip name-server 184.108.40.206
ip name-server 220.127.116.11
ip address 192.168.1.1 255.255.255.0
ip nat inside
no ip address
ip address xxx.xxx.xxx.xxx 255.255.255.248
ip nat outside
no ip address
ip default-gateway xxx.xxx.xxx.xxx
ip nat inside source list 1 interface FastEthernet0/1 overload
ip http server
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
access-list 1 permit 192.168.1.0 0.0.0.255
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
line vty 5 15
Solved! Go to Solution.
05-21-2012 06:49:44 PM
From the WAN side will not work until you put in a static NAT translation for port 80.
You will need that same static NAT translation for port 22 to use SSH as well.
05-22-2012 12:46:33 AM
from the WAN... I will look into the static NAT, not sure I know how to do that but it makes sense now that you say it. I was trying to do it all dynamic
and, yes, I can do it just fine from the LAN
05-22-2012 01:20:50 AM
I have the static NAT set up as:
ip nat inside source static tcp 192.168.1.5 80 xxx.xxx.xxx.xxx 80
but I'm not sure about the options for extendable and no-payload, they don't seem to help when I try different ones...
I turned on
debug ip nat
and the incoming port numbers are seemingly random so that it totally messing this up, I think, anyway. Why don't I see the port number 80 coming in to be translated?
05-22-2012 03:57:36 PM
05-22-2012 04:29:25 PM
that got me part of the way, now I can reach the router and I can ssh to the PC from a PC that is on the same WAN IPs as the R1 router, but if I try to ssh in or get to the R1 router via a PC that is not on the static IPs, it fails...
05-22-2012 05:11:20 PM - edited 05-22-2012 05:11:55 PM
Ya, to get into the router's HTTP interface, you would need:
ip nat inside source static tcp 192.168.1.1 80 xxx.xxx.xxx.xxx 80
What is the target of the SSH? The PC? In that case, the PC would need to be on a static IP in the private range (say 192.168.1.100), and then:
ip nat inside source static tcp 192.168.1.100 22 xxx.xxx.xxx.xxx 22
05-22-2012 05:19:48 PM
05-22-2012 08:29:06 PM
If you have an SSH server at 192.168.1.5 and the NAT static translation open for it, then you can (from outside your network) SSH to the outside public IP address of xxx.xxx.xxx.xxx. If you have a computer on the LAN that needs to SSH to that PC, then you need to use the local LAN IP address of 192.168.1.5. You cannot use the outside IP, as the Cisco will not allow "loopback connections" through a NAT translation.