Nope. The only ACLs I have

ricky.nally1 · ‎12-26-2014

Hi All.

I forgot to remove the access-class 23 in line from my VTY settings so now I cannot remote access a router. Anyone know a work around for this to hopefully help me save the 12 hour round trip drive to console into the device for 5 minutes?

I found this solution from a post 8 years ago using a search:

"

Hi there,

I think its doable, configure a loopback with an ip in that range 10.10.10.0/29 (and insure appropriate routing for this ip to reach your router, hoping that your router has a default route or something pointing it back), and use this command:

telnet /source-interface loopback x"

I'm not quite sure how to apply this.

On my primary router do I first have to create an interface like:

int gig 0/0.600

ip address 10.10.10.1 255.255.255.128

and also create a loopback in that same range like"

interface loopback12

ip 10.10.10.2 255.255.255.128

Any help would be greatly appreciated!

Regards,

Ricky

M SEB · ‎12-26-2014

Hi,

Do you know what's permit in your ACL 23 ?

If yes and one of those entries subnet is not routed elsewhere in your network and you have dynamic routing protocol between your primary router and the ones you lost access to,

if it is all the case you can create a loopback with an ip of a subnet authorized in ACL23 of your remote router, propagate the route through your routing protocol and try a telnet sourced from the newly created loopback interface. I think it might work.

HTH

ricky.nally1 · ‎12-26-2014

Thanks for the quick reply. I don't have an ACL23 set up on this router.

M SEB · ‎12-26-2014

No idea of what's remote router's ACL 23 permitting?

ricky.nally1 · ‎12-26-2014

Nope. The only ACLs I have programmed into the router are the ones I need for my equipment. Nothing pertaining to ACL23. Unless this is a default that doesn't show on saved config I have.

Joseph W. Doherty · ‎12-27-2014

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Do you have SNMP write access? If so, you can rewrite the (running) config via it bypassing VTY.

Also, depending how your ACL and device is otherwise configured, sometimes SSH might get through while Telnet is blocked.

Richard Burts · ‎01-01-2015

If the original poster has a copy of the config for the remote router it would be very helpful to see at least parts of it. From the description in the thread it sounds like the access-list 23 from the original default config was removed but the access-class 23 in was not removed from the vty. It would be nice to see the config file and verify if this is actually the case.

If it is the case then I believe that access-class on the vty ports is not the real issue. If access-class is configured but the access list does not exit then the incoming access request should not be denied by the access-class and the underlying problem is something else. If we could see the config file then we could determine whether the vty ports have any restrictions such as transport input ssh, which would deny any telnet request.

There are some other things that it would help if we knew them. For example is there good IP connectivity between the routers? Does ping from one to the other work ok?

Additional information about this situation would help us to give better answers about the problem.

HTH

Rick

HTH

Rick

Forgot to remove Access-Class 23 in