not able to telnet to pppoe ip address from remote network

Report Inappropriate Content · ‎06-08-2017

hi every one,

I have a 1941 router with gig 0/0 configured to act as pppoe wan, through which dialer 1 interface connects to the isp. The pppoe connection is up and and has an IP address (gained through negotiation). The problem is that I can't telnet to IP address of the dialer 1 interface from remote network and unfortunately telnet connection times out, although without any problem from within the local lan of gig 0/0 and to that same IP address of dialer 1. here is what I have already tried :

1- I have changed mtu and mss of the dialer interface

2- set access-list any with log enabled on line vty which logs just telnet connections to gig 0/0 IP address but not dialer IP address (It means connection does not reach to the router.

3- I activated "ip nat inside static" on dialer 1 as output and gig 0/1 as input interface but with no result so cleared the config.

4- I am sure telnet is not blocked by the isp

thank everybody in advance.

By the way here is my configuration:

Router#show run
Building configuration...

Current configuration : 1820 bytes
!
! Last configuration change at 11:11:08 UTC Thu Jun 8 2017
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.156-3.M1.bin
boot-end-marker
!
!
logging buffered 16000
enable secret 5 $1$am..$3LBECeZtyF7lHQgr.vXEL0
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1941/K9 sn FCZ1430927H
!
!
username psp password 0 12321
!
redundancy
!
!
ip tcp ecn
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PPPoE-Shatel
ip address 192.168.88.211 255.255.255.0
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
!
interface Dialer1
mtu 1404
ip address negotiated previous
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1380
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxxxx password 0 xxxxxx
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
dialer-list 1 protocol ip permit
!
!
access-list 2 permit any log
!
control-plane
!
!
!
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 2 in
password 12321
login local
transport input all
!
scheduler allocate 20000 1000
!
end

Julio E. Moisa · ‎06-08-2017

Hi

Do you want telnet to manage the device?

Try configuring

line vty 0 4
login local

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Report Inappropriate Content · ‎06-08-2017

thanks for your reply Julio but as you can see I have set the same config on line vty:

line vty 0 4
access-class 2 in
password 12321
login local
transport input all

paul driver · ‎06-08-2017

Hello

Your Dialier interface is set to negotiate an address from the ISP via the same physical interface that has a static address applied.

Try removing this static address and renegotiated a ISP addressing and then test telnet again against the newly received addressing and not the present static assign address

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Report Inappropriate Content · ‎06-08-2017

I have already test that with no success. Besides the show ip interface brief, shows a valid ip on dialer 1 which can be easily pinged. Even I can open http page of the router if i were enabled.

paul driver · ‎06-08-2017

Hello

To confirm you have remove the static ip address of the physical interface and you can ping the allocate ip address of the dialer interface but cannot telnet to it?

can you perform some debugging please and post the results on the failing ip address of the Dialer1 interface ip.

access-list 100 permit tcp host any any eq telnet log
debug condition interface Dialer1
debug ip packet detail 100

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Report Inappropriate Content · ‎06-08-2017

The situation is as what you've got, besides I can ping the negotiated IP from the same segment Net as wan port (gig 0/0).

I'll post the result of the intstructions you mentioned as soon as possible.

And I apperitiate your help.

paul driver · ‎06-08-2017

Hello

forgot to ask - without NAT you say Your internal network is able to reach the internet?

So I am assuming your isp are doing this for you?

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Report Inappropriate Content · ‎06-08-2017

No I could ping internet from within the router without NAT, though I setup NAT for the local LAN to access the Internet and again telnet was not possible to the router remotely.

paul driver · ‎06-09-2017

Hello

Okay so to be able to remote access into your network (via the wan) then you'll need NAT as the addressing you shown isn't routable so it wont be reachable.

However this should not prohibit you to remote access to the rtr if the rtr its self is receiving a public routable address from the isp,

Can you confirm you are receiving a public ip and not a Private one as you have posted.in your OP

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Report Inappropriate Content · ‎06-09-2017

Hi, Paul

after executing the commands you mentioned above I figured out that no packet is being received in the router and telnet port is blocked by the ISP though they had already denied that but after more investigation they confirmed that. All this days I was looking for black been.

After all I appreciate your help to others and thank you.

paul driver · ‎06-10-2017

Hello

great news - Having prove in the form of some debug or logging can come out n very handy

glad i have been of some help

res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Report Inappropriate Content · ‎06-10-2017

I changed telnet port to 7034 and now I can telnet to my router. here is the config:

access-list 120 permit tcp any any eq 7034

line vty 0 4
access-class 120 in
privilege level 15
login local
rotary 34
transport input telnet ssh

just as reference for others rotary adds 7000 to the number set in the command (7000 + 34 = 7034).

paul driver · ‎06-10-2017

Hello

cheers for the rating- FYI I use rotary quite a lot as a backdoor when using ttacacs and there is a need to access for someone who doesn't have tacacs account

res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul