Re: Can ping ... cannot Telnet - Page 2

superduperlopez · ‎03-21-2006

Hello I hope you can help......

I am having the following problem....

I cannot telnet to the interface that connects to the Internet on a 2800 series router at a customer's site. I can ping the interface OK and the client does not have any problems connecting to the Internet, however I cannot telnet this interface (int Dialer1 with public IP address)

I can, however, create a VPN connection to one of client's PC at the client's office and then telnet to the FA interface of the router from the customer's PC.

Any help welcome....configuration attached....I did not configure this router in the first place but I am now trying to solve this problem......no much luck so far...

khoabuit · ‎03-23-2006

I have a thought that the admin configured this router doesn't allow telnet to this router from the internet because it's not secure, but he allows the Secure Shell to this router. Try using SSH to this router. That's my thought. How to do using SSH - I don't know. I'm looking for the information righ now. If you know, please share it.

Khoa

superduperlopez · ‎03-23-2006

Hi Khoa,

Yes, I also thought about that. You are talking about the "ssh" in the 5th and 6th lines on the VTY lines configuration

line vty 0 4

access-class 199 in

privilege level 15

password xxxx

transport input telnet ssh

transport output telnet ssh

However....I tried using ssh (which I have used before) and it didn't work....

So then I tried removing the "ssh" word from the configuration.......didn't work either

Finally, someone told me that anyway, because it has "telnet ssh" it should allow both of them. i.e. both telnet and ssh should be allowed. I have not confirmed this with a more reliable source but anyway, it is irrelevant because as I said before, after removing the "ssh" I can still not telnet....

Final thought>>>>

Are there any possibilities that the configuration is actually right but for whatever bizzard reason it is not working????? I know that this may sound crazy...but I am getting crazy........

Thank you again to all of you for all the effort....

Michael Tan · ‎03-23-2006

Notice this line in your post:

access-list 100 remark SDM_ACL Category=3

Was this router hardened by SDM? Any IPS also configured. Cant see the config so I'm not sure what's happening.

Try to remove all ips and ip inspect lines that you have, if there's any.

Richard Burts · ‎03-23-2006

I can confirm that

transport input telnet ssh

transport output telnet ssh

will allow both telnet and ssh to the router and no other remote access protocols. So this is not the problem.

I am contemplating the possibility that the config is correct and that something else is preventing your access (and my theories tend toward either the possibility that there is some addressing confusion and we are not really getting to the box that we think (I have been bit by this before) or the possibility that there is a firewall or something that is preventing the telnet from getting through).

To investigate these possibilities I will again suggest that you use some debugs. Be sure that the debug messages will be sent to where you are looking (so do terminal monitor in your remote session before you run the debug - and be sure that the debug messages are being sent to the monitor session - or be sure that debug messages are sent to the logging buffer and do the show log command after you have done the test with debug).

I suggest that we start with debug ip icmp and then ping to the dialer address. If we see debug output then we have some proof that the ping packets are getting to the right box.

There is not a simple debug for telnet. So I suggest using debug ip packet with an access list. So try this:

config t

access-list 199 permit tcp any host eq 23

access-list 199 permit tcp host eq 23 any

end

debug ip packet 199

This will report any telnet packet to or from the dialer interface.

Try these and let us know what happens.

HTH

Rick

HTH

Rick

venver2006 · ‎03-23-2006

Hi All

Your client router ( 2800) Dialer1 will be getting ip from your ISP . U can ask your ISP to do the telnet to your router Dialer Ip address , If they successed , then u can lookin into your side.

Thanks & Regards

venkat

superduperlopez · ‎03-27-2006

Hi Rick,

I can confirm that we are getting to the right box

I have run debug ip icmp and debug telnet with the terminal monitor directed to my hyperterminal session (which I run from the customer's PC)

There is debugging output when I ping from my PC and also when I ping from the customer's PC to the Dialer interface (ip address 82.X.X.X)

There is also an output when I telnet from the customer's PC into the Dialer interface (same ip address) .......however.......there is no ouput when I try to telnet from my PC

In short.....the debugging tools show that I am hitting the right box when I try to ping from either side of the router but when I try to telnet....it only shows "life" when I telnet from the customer's PC

Hope this helps a bit, thank you

Richard Burts · ‎03-27-2006

I believe that this is very helpful information. It is good to have proof that you are getting to the right box (it eliminates one potential explanation for your problem). If the debug tools proove that ping packets do get to the box and that telnet packets do not get to the box, then there must be something along the data path that is preventing the telnet. My first guess would be a fiewall (could be at the remote side, could be something the provider is doing, or could be on your side) that is preventing telnet. My second guess might be something doing address translation that is messing up the telnet but not the ping.

HTH

Rick

HTH

Rick