Can ping but cannot telnet.. - URGENT

winanjaya · ‎04-18-2005

Dear All,

I am very new with this, I had a WAN connection between 2 branches(A & B)

A is on 172.16.1.0

A has mail server on 192.168.1.9 (dmz)

B is on 172.16.2.0

B has also mail server on 172.16.2.6

I can ping from any PC of network A (ie. 172.16.1.88) to the mail server of branch B (172.16.2.6)

I can also telnet from any PC from network A (ie. 172.16.1.88) to mail server of branch B (ie. telnet 172.16.2.6 25)

The problem is on the mail server of branch A (192.168.1.9 dmz) ..

it can ping to mail server on branch B but it cannot telnet into it.. what happen? ..please advise ..

thanks a lot in advance

Regards

Winanjaya

zaeemarshad · ‎04-18-2005

Is port 23 open on that machine? Either it is firewalled or the telnet daemon is not running on it. Check for these.

Regards

Zaeem

winanjaya · ‎04-18-2005

Telnet service is already opened in that machine, and it's not firewalled because I (on 172.16.1.88) can telnet to that machine.. the problem is that I cannot telnet to that machine( 172.16.2.6) from my mailserver (192.168.1.9) .. please advise what should I do? .. thanks a lot in advance

Regards

Winanjaya

konigl · ‎04-19-2005

Sounds like an access-control-list problem on the B side or the A side, or both.

Are there any ACLs being applied along the traffic path which have "permit icmp any any"? That would explain why everybody can ping everybody. Is it then followed by more explicit permit or deny commands that allow the network at A (172.16.1.0) to telnet to the mailserver at B on TCP port 25, but don't allow for the A-side DMZ 192.168.1.0 network or hosts to do the same?

If there are no explicit commands to permit from the A-side DMZ, then it's possible that the implicit "deny all" at the end of each ACL could also be preventing the mailserver in the A-side DMZ from telnetting to TCP port 25 on the B-side.

winanjaya · ‎04-19-2005

Thanks but there is no access list in both side ..then what should I do? . please advise

Regards

Winanjaya

anandkochar · ‎04-19-2005

can u paste your config ......

winanjaya · ‎04-19-2005

Below are my routers config for your review..

thanks a lot in advance

Config for location B CISCO 2610 (172.16.2.0/24):

Ro_jkt>en

Password:

Ro_jkt#sh run

Building configuration...

Current configuration : 1898 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Ro_jkt

!

ip subnet-zero

!

ip name-server 172.16.1.3

!

interface FastEthernet0/0

ip address 172.16.2.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

no ip address

encapsulation frame-relay

frame-relay lmi-type ansi

!

interface Serial0/0.1 point-to-point

ip address 172.16.254.30 255.255.255.252

frame-relay interface-dlci 132

!

router eigrp 100

network 172.16.0.0

no auto-summary

eigrp log-neighbor-changes

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.254.29

ip http server

ip pim bidir-enable

!

call rsvp-sync

!

voice-port 1/0/0

cptone ID

timeouts wait-release 1

!

voice-port 1/0/1

cptone ID

timeouts wait-release 1

!

mgcp profile default

!

dial-peer cor custom

!

dial-peer voice 1 pots

destination-pattern +20

port 1/0/0

!

dial-peer voice 2 pots

destination-pattern +20

port 1/0/1

!

dial-peer voice 9 voip

destination-pattern +11

session target ipv4:172.16.254.29

ip qos dscp cs5 media

!

dial-peer voice 10 voip

destination-pattern +21

session target ipv4:172.16.254.14

ip qos dscp cs5 media

!

dial-peer voice 11 voip

destination-pattern +22

session target ipv4:172.16.254.26

ip qos dscp cs5 media

!

dial-peer voice 12 voip

destination-pattern +23

session target ipv4:172.16.254.6

ip qos dscp cs5 media

!

dial-peer voice 13 voip

destination-pattern +24

session target ipv4:172.16.254.10

ip qos dscp cs5 media

!

dial-peer voice 14 voip

destination-pattern +25

session target ipv4:172.16.254.18

ip qos dscp cs5 media

!

dial-peer voice 15 voip

destination-pattern +26

session target ipv4:172.16.254.22

ip qos dscp cs5 media

!

end

Ro_jkt#

Config for location A CISCO 3640 (172.16.1.0/24)

Ro_kwc>en

Password:

Ro_kwc#sh run

Building configuration...

Current configuration : 4435 bytes

!

version 12.2

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

!

hostname Ro_kwc

!

logging buffered 4096 debugging

aaa new-model

!

aaa authentication login default local

aaa authentication ppp default local

aaa authorization network default local

aaa session-id common

!

clock timezone WIB 7

ip subnet-zero

!

ip name-server 172.16.1.3

!

ip address-pool local

chat-script mod ABORT ERROR ABORT BUSY "" "AT" OK "ATDT \T" TIMEOUT 30 CONNECT \

c

chat-script offhook "" "ATH1" OK \c

!

interface FastEthernet0/0

ip address 198.168.0.1 255.255.240.0 secondary

ip address 172.16.1.2 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

no ip address

encapsulation frame-relay

no fair-queue

frame-relay lmi-type ansi

!

interface Serial0/0.2 point-to-point

description PVC to Ro_jkt

ip address 172.16.254.29 255.255.255.252

frame-relay interface-dlci 132

!

interface Serial0/1

no ip address

shutdown

clockrate 2000000

!

interface Group-Async1

ip unnumbered FastEthernet0/0

encapsulation ppp

dialer in-band

dialer idle-timeout 0

dialer enable-timeout 6

async mode interactive

peer ip address forced

peer default ip address pool default

ppp callback accept

ppp authentication pap

ppp ipcp accept-address

group-range 33 40

!

router eigrp 100

network 172.16.0.0

network 198.168.0.0 0.0.15.255

no auto-summary

eigrp log-neighbor-changes

!

ip local pool default 172.16.1.241 172.16.1.254

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.1.5

ip http server

ip pim bidir-enable

!

logging trap debugging

!

call rsvp-sync

!

mgcp profile default

!

end

Ro_kwc#

winanjaya · ‎04-19-2005

Hello,

Hopefully with this simple network diagram below, can help you to determine what's my problem..

Users ' All users can telnet to 172.16.2.6 25

|

Switch

|

Router 3640 (172.16.1.2)

|

|----------- Mailserver in DMZ 192.168.1.9 the problem goes here (I can ping to 172.16.2.6 but cannot telnet to 172.16.2.6 25)

|

PIX (172.16.1.1)

|

======

Location B: 172.16.2.0/24

|

Router 2610 (172.16.2.1)

|

|---------- DNS & Gateway 172.16.2.3

|---------- Mailserver 172.16.2.6

|

Switch

|

Users

please help .. what should I do?? ..

Regards

Winanjaya

Danilo Dy · ‎04-20-2005

Since Mail Server ( 192.168.1.9 ) in Branch A can ping to Mail Server ( 172.16.2.6 ) in Branch B there should'nt be a problem with routing.

You mentioned that your Mail Server ( 192.168.1.9 ) in Branch A is in DMZ that means it's behind a firewall. Check your firewall if port 25 is open for Mail Server (192.168.1.9) in Branch A to reach/receive any network/ip or segment 172.16.2.0/24 or just the host 172.16.2.6/32

If your Firewall is PIX, check for drop packet when you try to telnet port 25 from Mail Server ( 192.168.1.9 ) in Branch A to Mail Server ( 172.16.2.6 ) in Branch B. Concentrate on the Firewall.

winanjaya · ‎04-20-2005

I had "access-list dmz permit ip any any" .. so it must allowed for any service .. am I correct? .. but it still not working? .. ..why .. please advise ..

name 172.16.0.0 inside_net

name 172.16.1.0 server_net

name 202.x.y.z outside_net

name 192.168.1.0 dmz

access-list inbound_filter permit tcp any host 202.x.y.smtp eq smtp

access-list inbound_filter permit icmp any any

access-list inbound_filter permit tcp any host 202.x.y.pop3 eq pop3

access-list inbound_filter permit icmp any host 202.x.y.z

access-list inbound_filter permit tcp any host 202.x.y.ftp eq ftp

access-list inbound_filter permit tcp any host 202.x.y.ftp eq ftp-data

access-list inbound_filter permit tcp any host 202.x.y.www eq www

access-list dmz permit ip any any

access-list nonat permit ip inside_net 255.255.0.0 dmz 255.255.255.0

rrijk · ‎04-20-2005

Winanjaya,

I'm missing in "access-list inbound_filter" that you permit telnet traffic, were ICMP traffic is allowed. Maybe this is the problem ?

regards,

RdR

Danilo Dy · ‎04-20-2005

Hi, I'm not a PIX FW Expert but in my experience you should have this at minimum;

Example (cause I don't know your ACL Group and IPs):

DMZ Interface ACL Group >> inside_filter

OUTSIDE Interface ACL Group >> outside_filter

DMZ MAIL Server IP >> 192.168.1.9

DMZ MAIL Server NAT IP >> 202.1.2.3

OUTSIDE MAIL Server IP >> 172.16.2.6

1. DMZ MAIL Server to OUTSIDE MAIL Server

access-list inside_filter permit tcp host 192.168.1.9 host 172.16.2.6 eq 25

2. OUTSIDE MAIL Server to DMZ MAIL Server

access-list outside_filter permit tcp host 172.16.2.6 host 202.1.2.3 eq 25

Troubleshooting:

Cisco has done a good job on their PIX FW logging. From the logs you can tell which port and which host has been denied by looking at the packet drop during the time you are trying to telnet via port 25 (it will tell you the source, destintion, port, and the interface acl group). I usually enable logging through console so I can see the error real time.

riz_432 · ‎04-30-2005

medan has pointed out the problem correctly u've not specified the inside_filter and outside_filter stuff