cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
3229
Views
0
Helpful
8
Replies

Can't telnet on cisco router 851 via vlan 1 interface

Michael Grachev
Level 1
Level 1

Hey there, guys!

Today I've met problem. I have Cisco router 851 at my region site. It has five Fa ports. One of them is connected to ISP and has ip address 10.1.1.2 (for example). It also has vlan 1 interface, that has ip address 192.168.0.1 (also for example). I also have Tun0 interface that goes through ISP network and connects to my hub network. The rest of Fa interfaces are swithcable and they are in vlan 1.

The problem is that from hub LAN I can telnet to 10.1.1.2 ip address, but I can't telnet to 192.168.0.1. Whereas I can Ping 192.168.0.1 from my hub LAN.

Anyone has any ideas ?

Topology:

Hub LAN -------ISP---------Spoke Router 851

Mike

8 Replies 8

Marwan ALshawi
VIP Alumni
VIP Alumni

Is there any acl applied to any interface or vty line ?

Sent from Cisco Technical Support iPhone App

Hi Mike,

As Marwan said, there must be some access-group applied to the line vty interface and your 10.1.1.0 netork may not be permitted in that access-list. Please check that and let us know if you still facing any issues.

The applied access-group looks like below...

line vty 0 4
access-class 23 in
login authentication device
transport input ssh


access-list 23 permit 193.168.0.0


Please rate the helpfull posts.
Regards,
Naidu.

Thanks for  quick response!

1st - there're No ACL for physical interfaces.

2nd - there is access-group for vty acces for several hosts from network "hub LAN"

Anyway I am able to connect to interface 10.1.1.2, so access group works fine for telnet connection. I just can't connect to 192.168.0.1:

line vty 0 4

access-class 99 in

privilege level 15

transport input ssh

access-list 23 permit 192.168.0.250 - host for example

aaa new-model is ON - maybe it is not so neccesary but still.

Also there is NO NAT configuration there.

And Bug Toolkit for current IOS showed nothing related to this problem.

Tomorrow I'll be able to post whole configuration of this router here...

Mike

Mikhail Grachev wrote:

Thanks for  quick response!

1st - there're No ACL for physical interfaces.

2nd - there is access-group for vty acces for several hosts from network "hub LAN"

Anyway I am able to connect to interface 10.1.1.2, so access group works fine for telnet connection. I just can't connect to 192.168.0.1:

line vty 0 4

access-class 99 in

privilege level 15

transport input ssh

access-list 23 permit 192.168.0.250 - host for example

aaa new-model is ON - maybe it is not so neccesary but still.

Also there is NO NAT configuration there.

And Bug Toolkit for current IOS showed nothing related to this problem.

Tomorrow I'll be able to post whole configuration of this router here...

Mike

Is the SVI actually up?

The device won't put interface VLAN1 in up/up state unless there is a port (access or trunk) assigned to that VLAN and in the up/up state also. And if interface VLAN1 is not up, then you obviously won't be able to telnet to its IP address.

If you can telnet into the 10.1.1.2 address, what is the output when you do

show interface vlan1

from the command line?

Cheers.

Darren, please read the initial post carefuly:

Four Fa interfaces are in vlan 1, and in SVI is UP. Also I can Ping 192.168.0.1.

Here you go:

sh inter vl 1

Vlan1 is up, line protocol is up

  Hardware is EtherSVI, address is 0023.332e.20cd (bia 0023.332e.20cd)

  Description: LAN

  Internet address is 192.168.0.1/24

  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:34, output never, output hang never

  Last clearing of "show interface" counters 4d18h

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     1323067 packets input, 260065941 bytes, 0 no buffer

     Received 3264 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     1573058 packets output, 1003872276 bytes, 0 underruns

     0 output errors, 0 interface resets

     0 output buffer failures, 0 output buffers swapped out

Whole router config:

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Spoke
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
!
aaa new-model
!
!
!
!
aaa session-id common
clock timezone MSK 4
!
crypto pki trustpoint TP-self-signed-723587833
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-723587833
revocation-check none
rsakeypair TP-self-signed-723587833
!
!
dot11 syslog
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool LAN
   network 192.168.0.0
   dns-server xxxxxxxx
   domain-name xxxxxxxxx
   default-router xxxxxx
   netbios-node-type h-node
   netbios-name-server xxxxxxx
!
!
ip cef
no ip domain lookup
!
!
!
username 111 privilege 15 secret 5 111

!
!
crypto isakmp policy 2
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address xxxxxxxx
!
!
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
!
crypto map lan2lan 100 ipsec-isakmp
set peer xxxxxxxxx
set security-association lifetime seconds 28800
set transform-set ESP-AES-128-MD5
set pfs group2
match address l2l
!
archive
log config
  hidekeys
!
!
ip tftp source-interface Vlan1
!
!
!
interface Loopback0
no ip address
!
interface Tunnel0
description Tunnel
bandwidth 2048
ip address 172.16.0.2 255.255.255.252
keepalive 3 3
tunnel source 10.1.1.2
tunnel destination 10.1.1.1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
bandwidth 2048
ip address 10.1.1.2 255.255.255.252
speed 100
full-duplex
!
interface Vlan1
description LAN
ip address 192.168.0.1 255.255.255.0
ip flow ingress
ip flow egress
ip tcp adjust-mss 1300
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Tunnel0
ip flow-top-talkers
top 50
sort-by bytes
!
ip http server
ip http access-class 99
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!

ip access-list extended l2l
permit ip xxxxxxxxxx 0.0.0.15 any
!
ip sla responder
ip sla 1
udp-jitter xxxxxxxx 16890 source-ip 192.168.0.1 codec g729a
ip sla schedule 1 life forever start-time now

access-list 99 permit 192.168.0.250

snmp-server community xxxxxx RW 50
snmp-server community xxxxxx RO 51

!
control-plane
!        
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 99 in
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
sntp server xxxxxxx
end

Hi,

line vty 0 4

access-class 99 in

access-list 99 permit 192.168.0.250

The only src IP address that can telnet into the router is 192.168.0.250.

What is the src IP when coming from the HuB Network ?

Regards.

Alain

Don't forget to rate helpful posts.

Alain, src ip of host is 192.168.0.250 -)

I believe that acl is not a point of failure here, cuz I am able to telnet to 10.1.1.2

Hi,

ok so can  you do a sh crypto ipsec before and after the telnet and if you see no more packet counter increase can you

verify your crypto ACL on both sides.

Regards.

Alain

Don't forget to rate helpful posts.
Review Cisco Networking for a $25 gift card