Re: Cannot telnet fe interface of edge router from inside host.

mariocabrejo · ‎02-19-2004

Hi, I am having problems trying to telnet to the fe interface of my edge router from my management host(internal). I tryed adding an access list and allowing access to the fe interface of the router. Do I need to do something to the firewall.(I thought that the firewall allows all outgoing)

Can somebody tell me what I am doing wrong.

Thanks

Here is the sh run:

sh run

Building configuration...

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname ABC

!

logging buffered 4096 debugging

!

username xxx privilege 15 password xxxx

!

ip subnet-zero

no ip source-route

no ip finger

no ip domain-lookup

!

process-max-time 200

!

interface Serial0

ip address a.b.c.d 255.255.255.252

no ip redirects

no ip unreachables

no ip directed-broadcast

no ip proxy-arp

no ip route-cache

no cdp enable

!

interface FastEthernet0

ip address x.x.x.97 255.255.255.224

no ip directed-broadcast

full-duplex

no cdp enable

!

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.41

no ip http server

!

access-list 2 permit 63.94.243.0 0.0.0.255

access-list 2 permit 204.188.152.80 0.0.0.15

access-list 2 permit 65.199.21.0 0.0.0.255

access-list 101 permit tcp any any established

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny udp any any eq snmp

access-list 101 deny udp any any eq tftp

access-list 101 deny udp any any eq netbios-dgm

access-list 101 deny udp any any eq netbios-ns

access-list 101 deny udp any any eq who

access-list 101 deny udp any any eq echo

access-list 101 deny udp any any eq syslog

access-list 101 deny tcp any any eq bgp

access-list 101 deny tcp any any eq chargen

access-list 101 deny tcp any any eq cmd

access-list 101 deny tcp any any eq echo

access-list 101 deny tcp any any eq exec

access-list 101 deny tcp any any eq finger

access-list 101 deny tcp any any eq gopher

access-list 101 deny tcp any any eq klogin

access-list 101 deny tcp any any eq kshell

access-list 101 deny tcp any any eq login

access-list 101 deny tcp any any eq lpd

access-list 101 deny tcp any any eq whois

access-list 101 permit ip any any

no cdp run

banner motd ^CCC

UNAUTHORIZED ACCESS PROHIBITED.....

^C

!

line con 0

exec-timeout 0 0

logging synchronous

login local

transport input none

line aux 0

logging synchronous

login local

modem InOut

modem autoconfigure discovery

transport input all

speed 2400

line vty 0 4

access-class 2 in

logging synchronous

login local

!

end

Georg Pauwen · ‎02-19-2004

Hello,

what is the IP address of your internal host, the host you are on ? Do a show ip route x.x.x.x on the router, whereby x.x.x.x is the address of your internal host and check where the route is pointing to.

Regards,

Georg

Harold Ritter · ‎02-19-2004

I don't see any routing protocol in your config and your default route is probably thru your serial interface. Can you at least ping this router?

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

chuck.price · ‎02-19-2004

I would definitely check the ip address of the mangement station and I'd also check the firewall, they can be configured to deny outgoing packets.

mariocabrejo · ‎02-19-2004

Hi, everybody,

The edge router's serial is x.y.z.w

The edge router's fe is a.b.c.97

The firewall's outside ip is a.b.c.98

The firewall's internal ip is 192.168.1.2

My internal host ip address is 192.168.1.92

I removed the access list allowing my internal host because was not working:(here is again)

ip access-list 120 permit tcp host 192.168.1.92 host a.b.c.97 eq 23

router(config)#line vty 0 4

router(config-line)#access-class 120 in

Error:

C:\>telnet a.b.c.97

Connecting To a.b.c.97...Could not open a connection to host on port 23 : Connect failed

I can successfully ping the fe and serial of the edge router(the firewall permits it).

I am sure is the firewall, but it has many conduit permit lines and I really do not want to make a network disruption.

Any suggestions will be appreciated.

Thanks

chuck.price · ‎02-20-2004

OK, it looks like you're running NAT (or possibly PAT) on your firewall.

You have allowed telnet access to your edge router's fe using a host inside private IP address (which I assume is the IP address of your management station), denying all other IP addresses.

Your management staton is getting an outside global address from your firewall. This IP is not allowed telnet access to your edge routers fe.

You need to modify the telnet access-list to allow for the outside global address of your management station.

mariocabrejo · ‎02-20-2004

THANKS!

IT works now< forgot to mention PAT)

I WAS TRYING TO SAVE SOME GLOBAL IP ADDREESES I GUESS>

MARIO>