I have NAT configured and all is working well. I have a static NAT translation for telnet requests for 10.0.0.2 to forward to an internal host of 192.168.1.100. When the outside host telnets to 10.0.0.2 all works as it should.
Now I need this to work for the inside hosts as well. When host 192.168.2.100 telnets to 10.0.0.2 it should forward to 192.168.1.100. This does not work "connection refused". I have the same issue in a live environment but it's to a webserver. I've googled and read several Cisco NAT documents as well as searching CLN but I'm just not finding what I need. Maybe I'm not searching for the right thing.
Does anyone here have a solution or can you point me in the right direction? Below is my test setup and the config from the router. Very basic configure since all I'm testing is the NAT.
Current configuration : 1513 bytes
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no aaa new-model
memory-size iomem 5
no ip domain lookup
multilink bundle-name authenticated
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip address 10.0.0.1 255.255.255.0
ip nat outside
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat pool NAT_Pool 10.0.0.1 10.0.0.2 netmask 255.255.255.0
ip nat inside source route-map NAT_RMAP pool NAT_Pool overload
ip nat inside source static tcp 192.168.1.100 23 10.0.0.2 23 extendable
ip access-list extended ACL_NAT_RMAP
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
route-map NAT_RMAP permit 1
match ip address ACL_NAT_RMAP
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
What you are trying to do is not well supported in Cisco IOS. If you search NAT loopback or NAT on a stick you may find a solution. Below is a link that has an example they may be helpful.
Is this a live environment? I'm not sure why you need a pool, why can't you just use ports?
ip nat inside source list 150 int fa1/0 overload
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
access-list 150 permit ip 192.168.2.0 0.0.0.255 any
ip nat inside source static 192.168.1.100 10.0.0.2 extendable
ip nat inside source static 192.168.2.100 10.0.0.3 extendable
Anyone who telnets to 10.0.0.2 will be sent to 192.168.1.100 , and anyone who telnets to 10.0.0.1 gets sent to 192.168.2.100.
When it says refused, it usually indicates a firewall, or acl depending on the device your telnetting to. So if 192.168.2.100 was a router, and i used #transput input ssh. When you telnet to 10.0.0.1 it would be "connection refused". With SSH it can also be because you didnt put #crypto key gen rsa on it. So I'd check the firewall permits telnet to the device having a problem if its a PC.
CiscoLoco, I came across the Cisco docs for NAT on a stick and gave it a try yesterday. That didn't change anything.
Stephen, I have a similar issue in a live environment on with http traffic going to a webserver. I've worked this up in GNS3 to find a fix. The pool was just setup with all our external IP addresses but the first IP is the only IP that ever gets used out of the pool. We're not have an issue with this part of NAT. I have static NAT setup to forward telnet traffic to the inside host and it works as long as your coming from the outside but not the other inside host. Above is the full basic config with no additional ACLs which could be blocking the telnet traffic and the host 192.168.1.100 has no security setup to block telnet traffic.
Thanks for the suggestions.
If you're connecting interally, just use the actual private IP assigned to the host.
I don't understand why you would ever connect from the inside network, TO another host on the inside network, but use the outside natted IP..? It doesn't make sense.
Think about the processing in the router. You come from 192.168.1.50. You then telnet to 10.0.0.2. The router checks the routing table and see's the 10.0.0.0/24 network is directly connected to the fa1/0 interface. When the packet hits fa1/0 , it sees there is a NAT statement, and uses an IP from the NAT pool to go out. When it hits the next device, it hasn't got a clue how to get to 10.0.0.2.