ā12-19-2011 05:46 AM - edited ā03-04-2019 02:41 PM
Hey there, guys!
Today I've met problem. I have Cisco router 851 at my region site. It has five Fa ports. One of them is connected to ISP and has ip address 10.1.1.2 (for example). It also has vlan 1 interface, that has ip address 192.168.0.1 (also for example). I also have Tun0 interface that goes through ISP network and connects to my hub network. The rest of Fa interfaces are swithcable and they are in vlan 1.
The problem is that from hub LAN I can telnet to 10.1.1.2 ip address, but I can't telnet to 192.168.0.1. Whereas I can Ping 192.168.0.1 from my hub LAN.
Anyone has any ideas ?
Topology:
Hub LAN -------ISP---------Spoke Router 851
Mike
ā12-19-2011 06:04 AM
Is there any acl applied to any interface or vty line ?
Sent from Cisco Technical Support iPhone App
ā12-19-2011 06:13 AM
Hi Mike,
As Marwan said, there must be some access-group applied to the line vty interface and your 10.1.1.0 netork may not be permitted in that access-list. Please check that and let us know if you still facing any issues.
The applied access-group looks like below...
line vty 0 4
access-class 23 in
login authentication device
transport input ssh
access-list 23 permit 193.168.0.0
Please rate the helpfull posts.
Regards,
Naidu.
ā12-19-2011 12:03 PM
Thanks for quick response!
1st - there're No ACL for physical interfaces.
2nd - there is access-group for vty acces for several hosts from network "hub LAN"
Anyway I am able to connect to interface 10.1.1.2, so access group works fine for telnet connection. I just can't connect to 192.168.0.1:
line vty 0 4
access-class 99 in
privilege level 15
transport input ssh
access-list 23 permit 192.168.0.250 - host for example
aaa new-model is ON - maybe it is not so neccesary but still.
Also there is NO NAT configuration there.
And Bug Toolkit for current IOS showed nothing related to this problem.
Tomorrow I'll be able to post whole configuration of this router here...
Mike
ā12-19-2011 02:25 PM
Mikhail Grachev wrote:
Thanks for quick response!
1st - there're No ACL for physical interfaces.
2nd - there is access-group for vty acces for several hosts from network "hub LAN"
Anyway I am able to connect to interface 10.1.1.2, so access group works fine for telnet connection. I just can't connect to 192.168.0.1:
line vty 0 4
access-class 99 in
privilege level 15
transport input ssh
access-list 23 permit 192.168.0.250 - host for example
aaa new-model is ON - maybe it is not so neccesary but still.
Also there is NO NAT configuration there.
And Bug Toolkit for current IOS showed nothing related to this problem.
Tomorrow I'll be able to post whole configuration of this router here...
Mike
Is the SVI actually up?
The device won't put interface VLAN1 in up/up state unless there is a port (access or trunk) assigned to that VLAN and in the up/up state also. And if interface VLAN1 is not up, then you obviously won't be able to telnet to its IP address.
If you can telnet into the 10.1.1.2 address, what is the output when you do
show interface vlan1
from the command line?
Cheers.
ā12-19-2011 10:12 PM
Darren, please read the initial post carefuly:
Four Fa interfaces are in vlan 1, and in SVI is UP. Also I can Ping 192.168.0.1.
Here you go:
sh inter vl 1
Vlan1 is up, line protocol is up
Hardware is EtherSVI, address is 0023.332e.20cd (bia 0023.332e.20cd)
Description: LAN
Internet address is 192.168.0.1/24
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:34, output never, output hang never
Last clearing of "show interface" counters 4d18h
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1323067 packets input, 260065941 bytes, 0 no buffer
Received 3264 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
1573058 packets output, 1003872276 bytes, 0 underruns
0 output errors, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
Whole router config:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Spoke
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
!
aaa new-model
!
!
!
!
aaa session-id common
clock timezone MSK 4
!
crypto pki trustpoint TP-self-signed-723587833
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-723587833
revocation-check none
rsakeypair TP-self-signed-723587833
!
!
dot11 syslog
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool LAN
network 192.168.0.0
dns-server xxxxxxxx
domain-name xxxxxxxxx
default-router xxxxxx
netbios-node-type h-node
netbios-name-server xxxxxxx
!
!
ip cef
no ip domain lookup
!
!
!
username 111 privilege 15 secret 5 111
!
!
crypto isakmp policy 2
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address xxxxxxxx
!
!
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
!
crypto map lan2lan 100 ipsec-isakmp
set peer xxxxxxxxx
set security-association lifetime seconds 28800
set transform-set ESP-AES-128-MD5
set pfs group2
match address l2l
!
archive
log config
hidekeys
!
!
ip tftp source-interface Vlan1
!
!
!
interface Loopback0
no ip address
!
interface Tunnel0
description Tunnel
bandwidth 2048
ip address 172.16.0.2 255.255.255.252
keepalive 3 3
tunnel source 10.1.1.2
tunnel destination 10.1.1.1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
bandwidth 2048
ip address 10.1.1.2 255.255.255.252
speed 100
full-duplex
!
interface Vlan1
description LAN
ip address 192.168.0.1 255.255.255.0
ip flow ingress
ip flow egress
ip tcp adjust-mss 1300
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Tunnel0
ip flow-top-talkers
top 50
sort-by bytes
!
ip http server
ip http access-class 99
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip access-list extended l2l
permit ip xxxxxxxxxx 0.0.0.15 any
!
ip sla responder
ip sla 1
udp-jitter xxxxxxxx 16890 source-ip 192.168.0.1 codec g729a
ip sla schedule 1 life forever start-time now
access-list 99 permit 192.168.0.250
snmp-server community xxxxxx RW 50
snmp-server community xxxxxx RO 51
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 99 in
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
sntp server xxxxxxx
end
ā12-20-2011 12:45 AM
Hi,
line vty 0 4
access-class 99 in
access-list 99 permit 192.168.0.250
The only src IP address that can telnet into the router is 192.168.0.250.
What is the src IP when coming from the HuB Network ?
Regards.
Alain
ā12-20-2011 12:51 AM
Alain, src ip of host is 192.168.0.250 -)
I believe that acl is not a point of failure here, cuz I am able to telnet to 10.1.1.2
ā12-20-2011 03:27 AM
Hi,
ok so can you do a sh crypto ipsec before and after the telnet and if you see no more packet counter increase can you
verify your crypto ACL on both sides.
Regards.
Alain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide