Hello,

which router model do you have ? I don't think the 'Connection Refused' response is generated on the router, but rather on the client.

There is a global command 'ip telnet quiet', you might want to check if that is available in your IOS version, and what that results in...

I think the client saying 'connection refused' is generated by an ICMP unreachable from the target device. I think the command that would do what the OP is describing is the interface level command here.

no ip unreachables

 Connection refused is the result of an explicit response from the target device. If it just fails, that would generate a 'connection timeout' type response.

I was using a friends laptop for testing it looks that this message  "connection refused" was his client. as indicated above

I have loaded putty now and we get  "connection times out"  for telnet connections

I have a cisco 1941 running   ISO 158-3.M3.

we only be configuring via the Console port on this router.

Im still having issues with ftp and SSH  Replies messages.

ftp gives "connection closed by remote host"  (ftp from the command prompt).

ssh  gives "remote side unexpectedly closed network connection"  (from putty).

Is there a way I can stop these messages?

Here is my run config of interest

aaa new-model

ip inspect WAAS flush-timeout 10
ip cef
login on-failure log
login on-success log

no ipv6 cef

interface Dialer1
 mtu 1492
 ip address negotiated
 ip access-group No-PING in
 ip access-group 198 out
 no ip unreachables
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 no cdp enable

!
ip access-list extended No-PING
 permit icmp any any echo-reply
 deny   icmp any any
 deny   tcp any any eq telnet log
 deny   tcp any any eq www log
 permit ip any any
ip access-list extended TRACERT
 permit icmp any any traceroute

access-list 198 permit ip any any

!

control-plane
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line 0/0/0
 script dialer hspa-R7
 modem InOut
 no exec
 transport input all
 rxspeed 21600000
 txspeed 5760000
line 0/0/1
 no exec
line vty 0 4
 transport input none
line vty 5 15
 transport input none
!

I don't see exactly where it is failing, but you can tell if it is an ACL if you add the keyword "log" at the end of any "deny" statements. Unless you have a "permit any any" at the end of an ACL, you should use an explicit deny all at the end with the "log" keyword instead of accepting the implicit deny all the end.

Hello.

Below is my config I am using the "no ip unreachables"  In my set up, is it in the correct location ?

I have "ip telnet quiet"  added as suggested but not sure its doing anything  in my setup.

!
version 15.8
!
!
boot-start-marker
boot system flash0:c1900-universalk9-mz.SPA.158-3.M3.bin
boot-end-marker
!
!
!
aaa new-model
aaa local authentication attempts max-fail 8
!
!
aaa authentication login default local
!
!
aaa session-id common
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.10.1 192.168.10.100
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
!
ip dhcp pool WLAN
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.1.1
!
!
ip inspect WAAS flush-timeout 10
ip cef
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script hspa-R7 "" "AT!SCACT=1,2" TIMEOUT 60 "OK"
!
!
!
crypto pki certificate chain TP-self-signed-8887778887
certificate self-signed 01

quit

license udi pid CISCO1941/K9 sn FGL
!
!
redundancy
notification-timer 120000
!
!
!
controller Cellular 0/0
gsm modem crash-action boot-and-hold
!
track 1 ip sla 1 reachability
!
ip telnet quiet
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WLAN uplink port
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
description WAN Uplink
switchport mode trunk
no ip address
!
interface GigabitEthernet0/1/1
no ip address
!
interface GigabitEthernet0/1/2
no ip address
!
interface GigabitEthernet0/1/3
no ip address
!
interface GigabitEthernet0/1/4
no ip address
!
interface GigabitEthernet0/1/5
no ip address
!
interface GigabitEthernet0/1/6
no ip address
!
interface GigabitEthernet0/1/7
no ip address
!
interface Cellular0/0/0
description 3G Link to Vodafone-AP
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string hspa-R7
dialer-group 2
async mode interactive
!
interface Cellular0/0/1
no ip address
encapsulation slip
!
interface Vlan1
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan100
description WAN
no ip address
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1452
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer1 REM this is the main interface  for data
mtu 1492
ip address negotiated
ip access-group No-PING in
ip access-group 198 out
no ip unreachables
ip nat outside
ip virtual-reassembly in max-fragments 16 max-reassemblies 64 timeout 5
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname secret.user@one.com
ppp chap password 0 cisco123
ppp pap sent-username secret.user@one.com 0 cisco123
ppp ipcp dns request
ppp ipcp route default
!
ip local policy route-map track-primary-if
ip forward-protocol nd
!
ip dns server queue limit forwarder 8
ip dns server
ip nat inside source route-map nat2backup interface Cellular0/0/0 overload
ip nat inside source route-map nat2primary interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 253
!
ip access-list extended No-PING
permit icmp any any echo-reply
deny icmp any any
deny tcp any any eq telnet log
deny tcp any any eq www log
deny tcp any any eq ftp log
deny tcp any any eq 22 log
deny tcp any any eq login log
permit ip any any
ip access-list extended TRACERT
permit icmp any any traceroute
!
ip sla 1
icmp-echo 8.8.8.8 source-interface Dialer1
ip sla schedule 1 life forever start-time now
logging host 192.168.1.254
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
route-map track-primary-if permit 1
match ip address 197
set interface Dialer1
!
route-map nat2primary permit 1
match ip address 198
match interface Dialer1
!
route-map nat2backup permit 1
match ip address 198
match interface Cellular0/0/0
!
!
access-list 197 permit icmp any host 8.8.8.8
access-list 198 permit ip any any
!
!
!
control-plane
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 0/0/0
script dialer hspa-R7
modem InOut
no exec
transport input all
rxspeed 21600000
txspeed 5760000
line 0/0/1
no exec
line vty 0 4
transport input none
line vty 5 15
transport input none
!
scheduler allocate 20000 1000
ntp server 0.au.pool.ntp.org
ntp server 2.au.pool.ntp.org
ntp server 1.au.pool.ntp.org
ntp server 3.au.pool.ntp.org
!

Connection timeouts when you have ip unreachables enabled on the relevant interface is expected behavior. I haven't used "ip telnet quiet" before, so I can't speak to that. If Dialer0 is your WAN interface then I would say you have it in the right place. Even though Cellular0 is the physical interface associated with this, I think the only interface that will have an IP is Dialer0. I mention that because of the "ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 253" command. I doubt that is hurting anything, but I don't think it would do anything either.