09-19-2008 01:31 PM - edited 03-03-2019 11:37 PM
I'm honestly embarassed asking this question but for the life of me I've been unable to resolve the issue. ICMP makes it to ingress but telnet fails from remote subnets. There is another router in front of this device on the same subnet as the ingress, with no ACL's, and this device has no problems with telnet. Anything coming from the internet cannot get a login prompt.
!
interface FastEthernet0/0
ip address x.x.x.37 255.255.255.248
duplex auto
speed auto
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.33
!
line vty 0 4
password cisco
login
!
I've also tried adding "transport input telnet", but that did not correct my problem.
09-19-2008 01:32 PM
Additional information;
c1841#sho ver
Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(3g), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Mon 06-Nov-06 01:09 by alnguyen
ROM: System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)
c1841 uptime is 1 hour, 59 minutes
System returned to ROM by reload at 17:35:25 UTC Fri Sep 19 2008
System image file is "flash:c1841-advsecurityk9-mz.124-3g.bin"
.
.
Cisco 1841 (revision 6.0) with 234496K/27648K bytes of memory.
Processor board ID FTX1108Z2HN
6 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
c1841#sho inv
NAME: "1841 chassis", DESCR: "1841 chassis, Hw Serial#: xxxxxxx, Hw Revision: 6.0"
PID: CISCO1841 , VID: V04 , SN: xxxxxxx
NAME: "C1841 Motherboard with 2 Fast Ethernet", DESCR: "C1841 Motherboard with 2 Fast Ethernet"
PID: CISCO1841 , VID: 6.0, SN: xxxxxxx
NAME: "WIC/HWIC 0", DESCR: "4 Port FE Switch"
PID: HWIC-4ESW , VID: V01 , SN: xxxxxxx
09-19-2008 02:05 PM
John
There is not anything in what you have posted that would show us why remote telnet does not work. But I do not think that you have shown us enough for us to be able to say that it is not something in the router config. Perhaps you can show us more of the router configuration?
When you mention that no one from the internet can telnet it makes me wonder if someone remote from the router (but inside your network) is able to telnet, and to wonder if there is some issue with address translation that might be impacting telnet. Are you doing address translation? Can you show us exactly what is configured for address translation?
HTH
Rick
09-22-2008 07:21 AM
Hi Rick,
Thanks for taking a look at this.
As requested, I've attached the current running config. Interface fa0/0 is the egress port and the /29 configured on it is public. Currently there is no network address translations happening.
With regards to you inquiry about external vs internal telnets, yes, I can telnet to fa0/0 locally from the 1841's gateway. There are no filters blocking telnet to the .37 IP address.
09-22-2008 08:38 AM
John
Thank you for posting the config. I have looked through it (and it is certianly minimally configured) and do not see anything in its configuration that would prevent telnet.
I believe that I am understanding your posts correctly that you can successfully ping this router address from remote addresses, so there is not an issue of IP accessibility (routing etc is working). If anything remote can not get a telnet prompt then I must believe that something is filtering out the telnet packets. A good way to check this would be to run debug telnet and then attempt telnet from a remote source. I predict that the debug will not show any telnet attempt arriving at the router.
HTH
Rick
09-22-2008 08:58 AM
I looked at your config, and I have to say that I don't see anything that would keep telnet from working either. Do you get immediately disconnected, or does it wait to timeout? You could try SSH, but you would need to generate a certificate on the device before doing that. What is this router behind: firewall, ips/ids, another router? If you have an IDS/IPS, it may be killing the connection when it sees traffic going to port 23 if not explicitly allowed.
--John
09-22-2008 10:48 AM
I didn't bother trying SSH since no other forwarding is working correctly. Something is wrong with the device in front of it me thinks. I can see no other explination. What I'm having problems understanding is that the Netscreen running in parallel is having no issues with .34/.35. Perhaps switching the port will resolve the situation. I won't be able to accomplish that until later this evening but will post results. Still baffles me that ICMP gets through with no challenges.
09-22-2008 10:42 AM
I've been working this issue on/off this morning but have the same results. The configuration has been enhanced to allow local connectivity out but I'm still having the same issues going in, unable to pat 3389:
!
interface FastEthernet0/0
ip address x.x.x.37 255.255.255.248
ip access-group 100 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
ip nat inside source list 10 interface FastEthernet0/0 overload
!
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 100 permit tcp any host 192.168.2.2 eq 3389
access-list 100 permit icmp any any
access-list 100 permit tcp any any eq telnet
!
if I deny icmp on acl 100, my pings stop, which confirms that L3 is routing correctly. No counters show up when attempting to telnet externally but if I try and telnet from the device directly connected to the 1841 counters do increase:
c1841#sho access-lists
Standard IP access list 10
10 permit 192.168.2.0, wildcard bits 0.0.0.255
Extended IP access list 100
10 permit tcp any host 192.168.2.2 eq 3389
20 permit icmp any any (356 matches)
30 permit tcp any any eq telnet (15 matches)
Even though I'm 100% confident there are no filters configured on that block, it's obviously being blocked for some reason that I'm unable to confirm.
09-22-2008 10:57 AM
What does the configuration look like for your internal interface? The one that you have ip nat inside applied to?
09-22-2008 11:03 AM
I'm using a BVI for the HWIC-4ESW. Here's the commands to make that work but I would not think they should have an affect on an external telnet prompt:
!
!
bridge irb
!
!
!
interface Vlan1
no ip address
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.2.1 255.255.255.248
ip nat inside
ip virtual-reassembly
!
!
bridge 1 route ip
!
09-22-2008 11:13 AM
You said that the Netscreen beside it doesn't have a problem with .34/.35? You can also ping the device? What is this device's f0/0 connected to? Did you say that you CAN telnet from a 192.168.2.x address?
John
09-22-2008 11:22 AM
Both the Netscreen and the 1841 are plugged into a Netopia 3346 (.33). I can telnet from 192.168.2.2 and from x.x.x.33, but nothing past the Netopia.
09-22-2008 11:28 AM
Do you have the basic firewall enabled in the Netopia?
09-22-2008 11:59 AM
There are no filter sets applied to the current connection profile on the Netopia.
09-22-2008 11:14 AM
I noticed you have the IP NAT outside statement on your outside interface. Can you provide the rest of the NAT config including its ACL. The NAT ACL has to be precise, otherwise what happens when you try telnetting from the outside the packets come in, then translate going back out & will never reach the source of the telnet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide