Destination NAT on Cisco 876?

Discussion in 'Cisco' started by Martin Turba, Dec 23, 2005.

  1. Martin Turba

    Martin Turba Guest

    Imagine the following scenario:


    10.0.0.1/24 .254 |-----------+ dyn. IP
    +-------+-----------+ Cisco 876 +--------- Internet (PPPoE)
    | | |-----------+
    | |
    Host 1 Host2
    .1 .2


    The Problem:
    ------------

    Host 1 should be reachable from the Internet over port 22. Since the
    outside IP Adress of the Cisco 876 is allocated dynamically, it
    registers this address at dyndns.org. And so far, everything's working fine.
    The problem occurs if Host2 tries to connect to Host1 by using its
    DynDNS-Name (which resolves to the outside IP address of the 876), the
    SSH connection takes place with the 876 and NOT with Host1.
    Is there any known possibility to get that working?

    I thought of something like dnat on the PIX, which translates
    destination adresses, but I did not manage it yet.


    TIA,
    Martin
    Martin Turba, Dec 23, 2005
    #1
    1. Advertising

  2. Martin Turba

    Igor Mamuzic Guest

    Please post your NAT config...

    B.R.
    Igor


    "Martin Turba" <> wrote in message
    news:dogp5v$h7v$00$-online.com...
    > Imagine the following scenario:
    >
    >
    > 10.0.0.1/24 .254 |-----------+ dyn. IP
    > +-------+-----------+ Cisco 876 +--------- Internet (PPPoE)
    > | | |-----------+
    > | |
    > Host 1 Host2
    > .1 .2
    >
    >
    > The Problem:
    > ------------
    >
    > Host 1 should be reachable from the Internet over port 22. Since the
    > outside IP Adress of the Cisco 876 is allocated dynamically, it registers
    > this address at dyndns.org. And so far, everything's working fine.
    > The problem occurs if Host2 tries to connect to Host1 by using its
    > DynDNS-Name (which resolves to the outside IP address of the 876), the SSH
    > connection takes place with the 876 and NOT with Host1.
    > Is there any known possibility to get that working?
    >
    > I thought of something like dnat on the PIX, which translates destination
    > adresses, but I did not manage it yet.
    >
    >
    > TIA,
    > Martin
    Igor Mamuzic, Dec 24, 2005
    #2
    1. Advertising

  3. Martin Turba

    Alni Guest

    Bonjour,

    Martin Turba avait prétendu :

    > The Problem:
    > ------------
    > Host 1 should be reachable from the Internet over port 22. Since the outside
    > IP Adress of the Cisco 876 is allocated dynamically, it registers this
    > address at dyndns.org. And so far, everything's working fine.
    > The problem occurs if Host2 tries to connect to Host1 by using its
    > DynDNS-Name (which resolves to the outside IP address of the 876), the SSH
    > connection takes place with the 876 and NOT with Host1.
    > Is there any known possibility to get that working?


    I've exactly the same problem...
    (and did'nt found any issue yet)

    --
    Alni
    Alni, Dec 25, 2005
    #3
  4. Martin Turba

    Uli Link Guest

    >> Host 1 should be reachable from the Internet over port 22. Since the
    >> outside IP Adress of the Cisco 876 is allocated dynamically, it
    >> registers this address at dyndns.org. And so far, everything's working
    >> fine.
    >> The problem occurs if Host2 tries to connect to Host1 by using its
    >> DynDNS-Name (which resolves to the outside IP address of the 876), the
    >> SSH connection takes place with the 876 and NOT with Host1.
    >> Is there any known possibility to get that working?

    >
    >
    > I've exactly the same problem...
    > (and did'nt found any issue yet)
    >


    Can be done via route-map and a loopback interface.
    Set a different next-hop interface according to the source interface to
    circumvent NAT.

    --
    Uli
    Uli Link, Dec 26, 2005
    #4
  5. Martin Turba

    Alni Guest

    Bonjour,

    Uli Link vient de nous annoncer :
    >>> Host 1 should be reachable from the Internet over port 22. Since the
    >>> outside IP Adress of the Cisco 876 is allocated dynamically, it registers
    >>> this address at dyndns.org. And so far, everything's working fine.
    >>> The problem occurs if Host2 tries to connect to Host1 by using its
    >>> DynDNS-Name (which resolves to the outside IP address of the 876), the SSH
    >>> connection takes place with the 876 and NOT with Host1.
    >>> Is there any known possibility to get that working?

    >>
    >>
    >> I've exactly the same problem...
    >> (and did'nt found any issue yet)
    >>


    > Can be done via route-map and a loopback interface.
    > Set a different next-hop interface according to the source interface to
    > circumvent NAT.


    Any config example ?

    --
    Alni
    Alni, Dec 26, 2005
    #5
  6. Martin Turba

    Martin Turba Guest

    Uli Link wrote:

    > Can be done via route-map and a loopback interface.
    > Set a different next-hop interface according to the source interface to
    > circumvent NAT.


    Thanks, Uli.. I'll try that in our lab next week. If I am successful,
    I'll post a configuration example here.

    Martin
    Martin Turba, Dec 30, 2005
    #6
  7. Something like this: ?

    ip nat inside source static tcp 10.0.0.1 22 interface [outside-if-name-here]
    22 extendable

    Be sure to disable ssh on the 876 itself and any access lists permit port 22
    from the internet.
    (crypto key zeroize rsa, to disable ssh)

    erik

    "Alni" <> wrote in message
    news:...
    > Bonjour,
    >
    > Uli Link vient de nous annoncer :
    >>>> Host 1 should be reachable from the Internet over port 22. Since the
    >>>> outside IP Adress of the Cisco 876 is allocated dynamically, it
    >>>> registers this address at dyndns.org. And so far, everything's working
    >>>> fine.
    >>>> The problem occurs if Host2 tries to connect to Host1 by using its
    >>>> DynDNS-Name (which resolves to the outside IP address of the 876), the
    >>>> SSH connection takes place with the 876 and NOT with Host1.
    >>>> Is there any known possibility to get that working?
    >>>
    >>>
    >>> I've exactly the same problem...
    >>> (and did'nt found any issue yet)
    >>>

    >
    >> Can be done via route-map and a loopback interface.
    >> Set a different next-hop interface according to the source interface to
    >> circumvent NAT.

    >
    > Any config example ?
    >
    > --
    > Alni
    >
    >
    Erik Tamminga, Dec 30, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. hdu
    Replies:
    3
    Views:
    4,106
  2. Dave
    Replies:
    0
    Views:
    1,574
  3. Andre Wisniewski

    Destination NAT with Cisco 2503

    Andre Wisniewski, Dec 10, 2004, in forum: Cisco
    Replies:
    1
    Views:
    6,171
    Ivan OstreŇ°
    Dec 10, 2004
  4. Chris Davis

    Cisco 3600 NAT by destination address

    Chris Davis, May 18, 2005, in forum: Cisco
    Replies:
    1
    Views:
    3,259
  5. AM

    876-K9 | 876-SEC-K9.

    AM, Oct 7, 2005, in forum: Cisco
    Replies:
    4
    Views:
    633
Loading...

Share This Page