03-21-2006 01:10 PM - edited 03-03-2019 12:08 PM
Hello I hope you can help......
I am having the following problem....
I cannot telnet to the interface that connects to the Internet on a 2800 series router at a customer's site. I can ping the interface OK and the client does not have any problems connecting to the Internet, however I cannot telnet this interface (int Dialer1 with public IP address)
I can, however, create a VPN connection to one of client's PC at the client's office and then telnet to the FA interface of the router from the customer's PC.
Any help welcome....configuration attached....I did not configure this router in the first place but I am now trying to solve this problem......no much luck so far...
03-23-2006 11:56 AM
I have a thought that the admin configured this router doesn't allow telnet to this router from the internet because it's not secure, but he allows the Secure Shell to this router. Try using SSH to this router. That's my thought. How to do using SSH - I don't know. I'm looking for the information righ now. If you know, please share it.
Khoa
03-23-2006 02:48 PM
Hi Khoa,
Yes, I also thought about that. You are talking about the "ssh" in the 5th and 6th lines on the VTY lines configuration
line vty 0 4
access-class 199 in
privilege level 15
password xxxx
transport input telnet ssh
transport output telnet ssh
However....I tried using ssh (which I have used before) and it didn't work....
So then I tried removing the "ssh" word from the configuration.......didn't work either
Finally, someone told me that anyway, because it has "telnet ssh" it should allow both of them. i.e. both telnet and ssh should be allowed. I have not confirmed this with a more reliable source but anyway, it is irrelevant because as I said before, after removing the "ssh" I can still not telnet....
Final thought>>>>
Are there any possibilities that the configuration is actually right but for whatever bizzard reason it is not working????? I know that this may sound crazy...but I am getting crazy........
Thank you again to all of you for all the effort....
03-23-2006 06:15 PM
Notice this line in your post:
access-list 100 remark SDM_ACL Category=3
Was this router hardened by SDM? Any IPS also configured. Cant see the config so I'm not sure what's happening.
Try to remove all ips and ip inspect lines that you have, if there's any.
03-23-2006 06:57 PM
I can confirm that
transport input telnet ssh
transport output telnet ssh
will allow both telnet and ssh to the router and no other remote access protocols. So this is not the problem.
I am contemplating the possibility that the config is correct and that something else is preventing your access (and my theories tend toward either the possibility that there is some addressing confusion and we are not really getting to the box that we think (I have been bit by this before) or the possibility that there is a firewall or something that is preventing the telnet from getting through).
To investigate these possibilities I will again suggest that you use some debugs. Be sure that the debug messages will be sent to where you are looking (so do terminal monitor in your remote session before you run the debug - and be sure that the debug messages are being sent to the monitor session - or be sure that debug messages are sent to the logging buffer and do the show log command after you have done the test with debug).
I suggest that we start with debug ip icmp and then ping to the dialer address. If we see debug output then we have some proof that the ping packets are getting to the right box.
There is not a simple debug for telnet. So I suggest using debug ip packet with an access list. So try this:
config t
access-list 199 permit tcp any host
access-list 199 permit tcp host
end
debug ip packet 199
This will report any telnet packet to or from the dialer interface.
Try these and let us know what happens.
HTH
Rick
03-23-2006 11:08 PM
Hi All
Your client router ( 2800) Dialer1 will be getting ip from your ISP . U can ask your ISP to do the telnet to your router Dialer Ip address , If they successed , then u can lookin into your side.
Thanks & Regards
venkat
03-27-2006 03:12 AM
Hi Rick,
I can confirm that we are getting to the right box
I have run debug ip icmp and debug telnet with the terminal monitor directed to my hyperterminal session (which I run from the customer's PC)
There is debugging output when I ping from my PC and also when I ping from the customer's PC to the Dialer interface (ip address 82.X.X.X)
There is also an output when I telnet from the customer's PC into the Dialer interface (same ip address) .......however.......there is no ouput when I try to telnet from my PC
In short.....the debugging tools show that I am hitting the right box when I try to ping from either side of the router but when I try to telnet....it only shows "life" when I telnet from the customer's PC
Hope this helps a bit, thank you
03-27-2006 07:47 AM
I believe that this is very helpful information. It is good to have proof that you are getting to the right box (it eliminates one potential explanation for your problem). If the debug tools proove that ping packets do get to the box and that telnet packets do not get to the box, then there must be something along the data path that is preventing the telnet. My first guess would be a fiewall (could be at the remote side, could be something the provider is doing, or could be on your side) that is preventing telnet. My second guess might be something doing address translation that is messing up the telnet but not the ping.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide