Cisco C891F unable to telnet/ssh to WAN port. connection refused.

WILLEM KUTSCHRUITER · ‎10-31-2015

Team,

I'm unable to remotely (WAN interface) access this Cisco C891F router using the underneath config.

telnet and ssh both works using the LAN interface. the error message is get is "Connections refused"

With debug ip packet i do see an RST packet as a response to the incoming telnet request packet.

Current configuration : 9161 bytes

!

! Last configuration change at 15:45:37 CET Fri Oct 30 2015 by support

! NVRAM config last updated at 16:27:05 CET Fri Oct 30 2015 by support

version 15.3

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

!

hostname ROUTER

!

boot-start-marker

boot-end-marker

!

aqm-register-fnf

!

logging buffered 65355

enable secret 5 $1$I7QP$kidZ3cWzV0j2RAQ7KIJPz0

enable password <…>

!

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

aaa session-id common

clock timezone CET 1 0

clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00

!

ip dhcp excluded-address 192.168.2.1 192.168.2.69

ip dhcp excluded-address 192.168.2.200 192.168.2.254

!

ip dhcp pool 1

network 192.168.2.0 255.255.255.0

domain-name ROUTER.nl

dns-server 194.109.6.66 8.8.8.8 194.109.9.99

default-router 192.168.2.254

lease 0 4

!

ip domain name ROUTER.nl

ip name-server 194.109.6.66

ip name-server 194.109.9.99

ip name-server 8.8.8.8

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

license udi pid C891F-K9 sn FCZ1939917Z

!

username support privilege 15 password <…>

username a3sup privilege 15 password <…>

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface FastEthernet0

no ip address

shutdown

duplex auto

speed auto

!

interface GigabitEthernet0

no ip address

!

interface GigabitEthernet1

no ip address

!

interface GigabitEthernet2

no ip address

shutdown

!

interface GigabitEthernet3

no ip address

shutdown

!

interface GigabitEthernet4

no ip address

shutdown

!

interface GigabitEthernet5

no ip address

shutdown

!

interface GigabitEthernet6

no ip address

shutdown

!

interface GigabitEthernet7

no ip address

shutdown

!

interface GigabitEthernet8

description verbinding met xs4all.

mtu 1492

bandwidth 500000

no ip address

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet8.4

description VLAN ID 4 is for IPTV

encapsulation dot1Q 4

!

interface GigabitEthernet8.6

description VLAN ID 6 is for Internet (pppoe) 213.238.215.201

encapsulation dot1Q 6

pppoe enable group global

pppoe-client dial-pool-number 2

!

interface GigabitEthernet8.7

description VLAN ID 7 is for VoIP.

encapsulation dot1Q 7

!

interface Vlan1

description Netwerk ROUTER.nl

ip address 192.168.2.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Vlan6

no ip address

load-interval 30

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface Async3

no ip address

encapsulation slip

!

interface Dialer2

description Verbinding met xs4all. 213.238.215.201/32

mtu 1492

ip address negotiated previous

no ip redirects

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

encapsulation ppp

ip tcp adjust-mss 1452

load-interval 30

dialer pool 2

dialer-group 1

ppp authentication pap callin

ppp pap sent-username FB7490@xs4all.nl password 7 025756085F

ppp ipcp address accept

no cdp enable

crypto map vdAAmap

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list 102 interface Dialer2 overload

ip nat inside source static tcp 192.168.2.51 8000 213.238.215.201 8000 extendable

ip nat inside source static tcp 192.168.2.250 9100 213.238.215.201 9100 extendable

ip route 0.0.0.0 0.0.0.0 Dialer2

!

dialer-list 1 protocol ip permit

!

access-list 102 permit ip 192.168.2.0 0.0.0.255 any

!

control-plane

!

mgcp behavior rsip-range tgcp-only

mgcp behavior comedia-role none

mgcp behavior comedia-check-media-src disable

mgcp behavior comedia-sdp-force disable

!

mgcp profile default

!

banner login ^C

Authorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!

^C

!

line con 0

no modem enable

line aux 0

line 3

modem InOut

speed 115200

flowcontrol hardware

line vty 0 4

exec-timeout 30 0

privilege level 15

transport input telnet ssh

transport output none

line vty 5 15

privilege level 15

transport input telnet ssh

transport output none

!

scheduler allocate 20000 1000

ntp server 129.250.35.251

ntp server 64.99.80.30

!

end

ROUTER#

I'm doing something wrong, but I can't figure out what..

Any help is highly appreciated.

Thanks in advance, Willem

Mark Malone · ‎11-02-2015

Try turn off the aaa for a minute no aaa new-model

set standard username/password ---username Willem secret xxxxx

Then under line vty 0 4 apply ----login local

thsat should work for you , did you generate crypto keys for the ssh ?

WILLEM KUTSCHRUITER · ‎11-19-2015

Mark,,

I have done as suggested.. No results..I believe it is related to either a NAT or routing issue (bug).

I have also delete the vlan 6 interface as that one was not required any more.

I have about same config, a little different router, older IOS and that one works.

Still looking for a solution.

WILLEM KUTSCHRUITER · ‎12-09-2015

We ran into bug CSCup75103.

Symptom:
On IOS upgrade to 153-3.M2.bin & onwards, we cannot telnet/ssh the router where nat is configured.

Conditions:
This problem only exists if we have nat entry configured using ip which also exist on an interface, i.e
ip nat inside source static tcp

Workaround:
change the above statement to use interface instead of ip address, i.e

ip nat inside source static tcp interface

Upgrade to 15.4(3)M4 solved the problem.