06-07-2006 01:52 AM - edited 03-03-2019 12:55 PM
hi
i have got a 1841 isr router having SDM.i am having a strange problem, whenever i configure an accesslist on any interface it starts blocking my telnet connection from outside. i tried to apply an acl having permit ip any any on my outside interface then also it starts blocking my ssh or telnet connection.
06-07-2006 04:56 AM
That does seem unusual. Perhaps you would post the config of the router (masking any sensitive information). This might help us to figure out what is going on.
HTH
Rick
06-07-2006 08:33 PM
hi
the config of the router is given below
--------------------------------------------------
sh run
Building configuration...
Current configuration : 4714 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret xxxx
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
--More-- mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
ip domain name yourdomain.com
ip name-server 203.x.x.30
ip name-server 202.x.x.50
vpdn enable
vpdn ip udp ignore checksum
!
vpdn-group WindowsVpn
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
vpdn-group vpnWindows
!
--More-- !
no ftp-server write-enable
!
!
crypto pki trustpoint TP-self-signed-2572555141
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2572555141
revocation-check none
rsakeypair TP-self-signed-2572555141
!
!
crypto pki certificate chain TP-self-signed-2572555141
certificate self-signed 01
17806F5D 3656E40B A59F3BC9 4824819F 139F4DF6 757390A6
username cisco privilege 15 password xxx
!
crypto keyring WindowsVpn
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp keepalive 3600
no crypto isakmp ccm
crypto ipsec security-association lifetime seconds 600
!
crypto ipsec transform-set divita esp-3des esp-sha-hmac
!
crypto dynamic-map DYN_MAP 10
set transform-set divita
!
!
crypto map CRYP_MAP 6000 ipsec-isakmp dynamic DYN_MAP
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
description LINT TO INTERNET
ip address 61.17.x.x.x.255.0
ip nat outside
ip virtual-reassembly
shutdown
duplex auto
interface FastEthernet0/1
description LINK TO LAN
ip address 10.129.149.80 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool POOL
ppp mtu adaptive
ppp authentication chap ms-chap
!
ip local pool POOL 172.16.1.2 172.16.1.254
ip classless
ip route 0.0.0.0 0.0.0.0 61.17.249.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit any
!
!
control-plane
!
banner login ^C
!
line con 0
login local
line aux 0
line vty 0 4
password cisco
login
transport input telnet
line vty 5 15
privilege level 15
login local
transport input none
!
warm-reboot
end
whenever i remove the nating i am able to telnet from outside and able to connect thrgh pptp. but when i put nating i cant telnet and cant connect thrgh pptp.
06-08-2006 05:05 AM
The original post indicated that the problem was that if you put an access list on an interface it blocked your telnet. This post indicates that the problem is that if you enable NAT it blocks telnet. Those are significantly different symptoms.
I see that FastEthernet0/0 is shutdown. Do you have the same symptoms when it is no shut? Since that interface is the address to which you NAT I can believe that it might be a problem if it was shutdown?
I am not sure that it is related, but I notice something else that seems not right. The virtual template interface uses ip unnumbered:
interface Virtual-Template1
ip unnumbered Loopback0
but the loopback 0 interface has no IP address.
HTH
Rick
06-13-2006 08:39 PM
hi dippu
as per ur configuration there is only one mistake foudn thats with ur standard access-list just u modify that now current acls is like this acess-list 1 permit ip any u just remove this and add like this access-list 1 permit 192.168.1.0 0.0.0.255
thanku
rsreddy
06-13-2006 08:46 PM
thank you sir
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide