Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3657
Views
0
Helpful
14
Replies

Telnet to port 551

alvin.yip
Level 1
Level 1

‎11-30-2010 08:10 AM - edited ‎03-04-2019 10:37 AM

I am trying to allow telnet to port 551 but i couldn't get it to work.

I am using a cisco 1720 router running on IOS 12.2.

I am using the below commands to set the access list to allow access to port 551 using remote telnet to the Cisco router.

hostname R1
!
interface ethernet0
ip access-group 102 in
!
access-list 102 permit tcp any any eq 551

After i enter the above command the router will disconnect me and i will not be able to connect to it for awhile. Once the router is up i am still unable to telnet to port 551. Is there anything i am doing wrong?

Pls advise. Tks!!.

Labels:
0 Helpful
14 Replies 14

andrew.prince
Level 10
Level 10

‎11-30-2010 08:59 AM

At the end of the acl (default) there is a deny any any

So all other traffic is being dropped.

What are you trying to do - exactly?

0 Helpful

alvin.yip
Level 1
Level 1
In response to andrew.prince

‎11-30-2010 11:20 PM

Hi Andrew,

Which means there is a implicit deny entry at the end. Is that what you are saying?

Is there any way to complete writing my acls before my connection gets cut off? It seems after entering 1 acl, the connection is cut off. Does that mean the router is applying the configuration and is rebooting?

0 Helpful

andrew.prince
Level 10
Level 10
In response to alvin.yip

‎12-01-2010 12:58 AM

Your ACL only allows TCP connections with a destination port 551 to enter the interface.

So if you are connecting to the router remotely you are going to cut yoursefl off.

When you are writing an ACL you need to think about what you want to do, in relation to the device you are configuring.

So with that in mind - you must NEVER forget that there is an implicit deny any any at the end of ALL access-lists.  You will not see it, it's the default.

0 Helpful

melladoosra
Level 1
Level 1

‎11-30-2010 04:50 PM

Why dont you just apply an access list on the vty lines ? If that is what you are trying to do...

line vty 0 15

ip access class 15 in

access-list 15 permit 192.168.1.x or whatever network or hosts you want to allow to telnet into the router

0 Helpful

johnlloyd_13
Level 9
Level 9

‎11-30-2010 06:27 PM

hi alvin,

kindly advise if the host you're tring to telnet using this port is outside your router's WAN on inside your LAN. you need to add static NAT or port forwarding in addition to your ACL. see if it works.

0 Helpful

alvin.yip
Level 1
Level 1
In response to johnlloyd_13

‎11-30-2010 11:17 PM

Hi All,

Tks for your response.

The scenario is like this. Our company has 2 sites, let's call them A and B. Both A and B are in different countries. A needs to configure a device in B and has requested to open TCP and UDP connections to port 551. And they are testing the connection using a telnet. So essentially they are trying to telnet to port 551 of the router to ensure the port has been opened.

Therefore given the above scenario, there should be no need for NAT since they are telnetting to the router's public ip address. Right?

Hope the above gives a better idea as to what i am trying to achieve.

Thanks people.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to alvin.yip

‎12-01-2010 02:58 AM

Hi,

A needs to configure a device in B and has requested to open TCP and UDP
 connections to port 551. And they are testing the connection using a 
telnet. So essentially they are trying to telnet to port 551 of the 
router to ensure the port has been opened.

Between the 2 sites there is a WAN- if it's the internet(xdsl or cable) then every router is performing NAT to translate from inside your site to public address on internet as private addresses aren't routable.

With the ACL you were writing you were permitting to this router only tcp port 551 and if you were connected by telnet or ssh or http/https then as thiese ports were denied due to implicit deny any at the bottom of any ACL you were losing your connection.But as you hadn't issued a copy run start when reloading your ACL wasn't not in your config and as you were putting it back you were disconnected again.

So what you need to do is static nat for device in B and then and ACL permitting traffic for this port on natted address.

e.g:

ip nat inside source static   

ip access-list extended TEST

permit tcp host eq 551

permit udp host eq 551

inside interface: ip nat inside

outside interface: ip nat outside and ip access-group TEST in

Regards.

Don't forget to rate helpful posts.
0 Helpful

alvin.yip
Level 1
Level 1
In response to cadet alain

‎12-06-2010 09:34 AM

Hi Cadetalain,

Tks for your response.

I do not think i need to implement the NAT. Basically all i want to do is open up port 551 on the router which seems to be closed at the moment.

I would like to be able to telnet to the router using port 551. Which means i can issue the command : telnet 551, and get connected to the router. Is there a simple way to do this?

Alvin

0 Helpful

Timothy Stewart
Cisco Employee
Cisco Employee
In response to alvin.yip

‎12-06-2010 10:28 AM

Alvin,

The IOS telnet process will only listen on port 23.  There is no way to change the port which the telnet process listens to.  But, you can use NAT to translate packets destined to port 551 to port 23 then use a acl to deny port 23 on the outside.  For example:


Interface loopback 0

ip address 1.1.1.1 255.255.255.255

ip nat inside

!

Interface GigabitEthernet0/0

ip address 10.2.1.1 255.255.255.0

ip access-group 101 in

ip nat outside

!

ip nat inside source static tcp 1.1.1.1 23 10.2.1.1 551 extendable

!

access-list 101 deny tcp any any eq telnet

access-list 101 permit ip any any

With this config, when a user on the 10.2.1.0 network telnets to 10.2.1.1 551 NAT will translate the packet to 1.1.1.1 23.  The telnet process will respond since it is listening to port 23.  If the same user tries to telnet to 10.2.1.1 23 then the connection will be denied (destination unreachable).

Tim

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Timothy Stewart

‎12-06-2010 10:42 AM

Hi,

There is no way to change the port which the telnet process listens to

You can make it listen to another port on a specific line but in a certain range( which is not your range)  with the rotary command.

http://ccietobe.blogspot.com/2008/07/allowing-telnet-to-non-standard-port.html

Don't forget to rate helpful posts.
0 Helpful

alvin.yip
Level 1
Level 1
In response to cadet alain

‎12-07-2010 08:50 AM

Hi Timothy and Cadetalain

,

Thanks guys. I have little experience in configuring Cisco Routers as you guys most probably have guessed.

I have instructions from UK IT side to open port 551 and they are trying to test it using a telnet to the public IP of the router using the port 551. As explained by you guys they will never be able to telnet to that port.

Is there any way to test if a port has been opened?

I have created access-list of the following.

access-list 101 permit tcp any any eq 551

access-list 101 permit udp any any eq 551

How do i apply this to an interface.

I see that the inside interface has the following

ip nat inside source static tcp 0.0.0.0 551 0.0.0.0 551 extendable

This should mean any devices on the inside network can contact the outside network using port 551 right?

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to alvin.yip

‎12-07-2010 11:50 AM

Hi,

As explained by you guys they will never be able to telnet to that port

I never told that.

I said that if they want to access a machine in your LAN on port 551 you must 2 2 things:

1) as this machine has a private ip address you must do a static nat so that machines connecting to public address are in fact connecting to private address.

2) if you have a firewall you must allow the connections to this machine.

But if port 551 is not opened on the machine this won't work you'll receive a port unreachable message.

If you omit part 1) then you connect to the router and as port 551 is not opened and telnet is by default configured to listen on port 23

it won't work either.

Then We told you that there was some way to make the router listen for telnet on a different port but not 551.

This should mean any devices on the inside network can contact the outside network using port 551 right?

As explained above no: this means outside devices when contacting  tcp port 551 on any address of the router are in fact contacting any device inside on tcp port 551.

How do i apply this to an interface

It depends on your firewall config but you would implement this on outside interface ingress with this command:

ip access-group in

Regards.

Don't forget to rate helpful posts.
0 Helpful

alvin.yip
Level 1
Level 1
In response to cadet alain

‎12-09-2010 06:49 PM

Tks for the Clarification. I understand what you mean now. I have learnt a lot about Cisco Router configuration through this.

Thanks!!

0 Helpful

alvin.yip
Level 1
Level 1

‎12-09-2010 06:47 PM

Hi Everyone,

Thanks for the help provided.

I have managed to solve this problem. The overseas office was trying to telnet to a box within the network as correctly pointed out by some of you. I have clarified this with them.

I have solve this by setting up a NAT for port forwarding (as illustrated by Timothy's solution abv).

ip nat inside source static tcp 192.168.0.72 551 atm0.1 551 extendable

It is working now.

Thanks once again.

Alvin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card