02-19-2004 11:53 AM - edited 03-02-2019 01:43 PM
Hi, I am having problems trying to telnet to the fe interface of my edge router from my management host(internal). I tryed adding an access list and allowing access to the fe interface of the router. Do I need to do something to the firewall.(I thought that the firewall allows all outgoing)
Can somebody tell me what I am doing wrong.
Thanks
Here is the sh run:
sh run
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ABC
!
logging buffered 4096 debugging
!
username xxx privilege 15 password xxxx
!
!
!
!
ip subnet-zero
no ip source-route
no ip finger
no ip domain-lookup
!
!
process-max-time 200
!
interface Serial0
ip address a.b.c.d 255.255.255.252
no ip redirects
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
no ip route-cache
no cdp enable
!
interface FastEthernet0
ip address x.x.x.97 255.255.255.224
no ip directed-broadcast
full-duplex
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.41
no ip http server
!
access-list 2 permit 63.94.243.0 0.0.0.255
access-list 2 permit 204.188.152.80 0.0.0.15
access-list 2 permit 65.199.21.0 0.0.0.255
access-list 101 permit tcp any any established
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny udp any any eq snmp
access-list 101 deny udp any any eq tftp
access-list 101 deny udp any any eq netbios-dgm
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny udp any any eq who
access-list 101 deny udp any any eq echo
access-list 101 deny udp any any eq syslog
access-list 101 deny tcp any any eq bgp
access-list 101 deny tcp any any eq chargen
access-list 101 deny tcp any any eq cmd
access-list 101 deny tcp any any eq echo
access-list 101 deny tcp any any eq exec
access-list 101 deny tcp any any eq finger
access-list 101 deny tcp any any eq gopher
access-list 101 deny tcp any any eq klogin
access-list 101 deny tcp any any eq kshell
access-list 101 deny tcp any any eq login
access-list 101 deny tcp any any eq lpd
access-list 101 deny tcp any any eq whois
access-list 101 permit ip any any
no cdp run
banner motd ^CCC
UNAUTHORIZED ACCESS PROHIBITED.....
^C
!
line con 0
exec-timeout 0 0
logging synchronous
login local
transport input none
line aux 0
logging synchronous
login local
modem InOut
modem autoconfigure discovery
transport input all
speed 2400
line vty 0 4
access-class 2 in
logging synchronous
login local
!
end
02-19-2004 12:44 PM
Hello,
what is the IP address of your internal host, the host you are on ? Do a show ip route x.x.x.x on the router, whereby x.x.x.x is the address of your internal host and check where the route is pointing to.
Regards,
Georg
02-19-2004 12:47 PM
I don't see any routing protocol in your config and your default route is probably thru your serial interface. Can you at least ping this router?
02-19-2004 01:00 PM
I would definitely check the ip address of the mangement station and I'd also check the firewall, they can be configured to deny outgoing packets.
02-19-2004 02:46 PM
Hi, everybody,
The edge router's serial is x.y.z.w
The edge router's fe is a.b.c.97
The firewall's outside ip is a.b.c.98
The firewall's internal ip is 192.168.1.2
My internal host ip address is 192.168.1.92
I removed the access list allowing my internal host because was not working:(here is again)
ip access-list 120 permit tcp host 192.168.1.92 host a.b.c.97 eq 23
router(config)#line vty 0 4
router(config-line)#access-class 120 in
Error:
C:\>telnet a.b.c.97
Connecting To a.b.c.97...Could not open a connection to host on port 23 : Connect failed
I can successfully ping the fe and serial of the edge router(the firewall permits it).
I am sure is the firewall, but it has many conduit permit lines and I really do not want to make a network disruption.
Any suggestions will be appreciated.
Thanks
02-20-2004 06:52 AM
OK, it looks like you're running NAT (or possibly PAT) on your firewall.
You have allowed telnet access to your edge router's fe using a host inside private IP address (which I assume is the IP address of your management station), denying all other IP addresses.
Your management staton is getting an outside global address from your firewall. This IP is not allowed telnet access to your edge routers fe.
You need to modify the telnet access-list to allow for the outside global address of your management station.
02-20-2004 08:08 AM
THANKS!
IT works now< forgot to mention PAT)
I WAS TRYING TO SAVE SOME GLOBAL IP ADDREESES I GUESS>
MARIO>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide