Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7861
Views
0
Helpful
8
Replies

Unable to telnet to or from router

Angelo ANELLO
Level 1
Level 1

‎08-23-2011 07:50 PM - edited ‎03-04-2019 01:23 PM

Hi guys,  i am currently having an issue with telnetting to a router on my network.  The router is working fine, and is contactable.  I am trying to telnet to the router from a 192.168.10.xxx subnet

Here's what ive tested so far:

I can ping the router remotely but cannot telnet to the router

If i connect to a device on the same subnet as the router, i can then telnet to the router successfully.

I cannot telnet out of the router to any device on the network including devices on the local subnet

I can ping any device in the network including devices on other subnets from the CLI

Below is an attached copy of the router config.  Can someone please have a look and see if they can identify what they issue might be.

RTR#sh conf

Using 2954 out of 196600 bytes

!

! Last configuration change at 10:06:01 AEST Mon May 24 2010

! NVRAM config last updated at 15:55:26 AEST Tue May 25 2010

!

version 12.4

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

!

hostname   xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

!

boot-start-marker

boot system flash:c2801-spservicesk9-mz.124-21a.bin

boot-end-marker

!

logging buffered 16384 debugging

enable secret 5  xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

!

no aaa new-model

clock timezone AEST 10

clock summer-time AEST recurring 1 Sun Oct 2:00 1 Sun Apr 2:00

ip cef

!

!

!

!

no ip domain lookup

!

voice-card 0

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

class-map match-all MATCH-ESX-DR

match access-group name ESX-DR-SERVERS

!

!

policy-map LIMIT-ESX-DR

class MATCH-ESX-DR

    police 2000000

!

!

!

!

interface FastEthernet0/0

ip address 192.168.20.254 255.255.255.0

ip helper-address 192.168.1.200

ip route-cache flow

duplex auto

speed auto

no keepalive

!

interface FastEthernet0/1

bandwidth 20000

ip address  xxxxxxxxxxxxxxx  xxxxxxxxxxxxxx

ip route-cache flow

speed 100

full-duplex

!

interface Serial0/1/0

no ip address

shutdown

clock rate 2000000

!

router bgp 65000

no synchronization

bgp default local-preference 200

bgp log-neighbor-changes

network 192.168.20.0

timers bgp 15 45

redistribute connected

redistribute static

neighbor 10.xxx.xxx.xxx remote-as 7474

no auto-summary

!

ip forward-protocol nd

!

ip flow-export source FastEthernet0/0

ip flow-export version 5

ip flow-export destination 192.168.1.67 9996

!

no ip http server

no ip http secure-server

!

ip access-list extended ESX-DR-SERVERS

permit ip 192.168.1.0 0.0.0.255 host 192.168.20.55 time-range BUSINESS-DAY

permit ip 192.168.1.0 0.0.0.255 host 192.168.20.57 time-range BUSINESS-DAY

!

snmp-server community xxxxsnmp RO

!

!

!

control-plane

!

!

!

!

!

!

!

banner motd ^CCC

******************************************************

*                                                    *

*      ---- Unauthorised Access Prohibited ----      *

*                                                    *

*      Your access to this device will be logged     *

*                                                    *

******************************************************

^C

!

line con 0

exec-timeout 20 0

privilege level 15

password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

login

stopbits 1

line aux 0

line vty 0 4

exec-timeout 20 0

privilege level 15

password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

login

transport input telnet

transport output telnet

line vty 5 15

privilege level 15

password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

login

transport input telnet

transport output telnet

!

scheduler max-task-time 5000

scheduler allocate 20000 1000

sntp server 192.168.1.252

time-range BUSINESS-DAY

periodic weekdays 7:00 to 19:00

!

end

Any help is greatly appreciated

Regards

Labels:
0 Helpful
8 Replies 8

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-24-2011 12:55 AM

Hello Angelo,

as no ACL is applied with access-class under line vty configuration there is no limitation to telnet to or from on the device itself.

A telnet session is a TCP session on port 23 server side.

The problem can be caused by the network around your device if:

- asymmetric routing is happening

- a stateful firewall in on one the possible paths and it sees only one direction of the connection attempt

to understand if this applies you should perform traceroute from both sides to understand if multiple paths exist

I mean from the affected router in DR site and from main site or whatever place you would like to be able to connect to/from

Another possible check is to see if you have applied security features like CBAC on the WAN interface this might explain why you can telnet from "inside" as you have noted.

what if you try to telnet to the ip address on the internal IP subnet from remote?

Have you tested this?

sorry for the basic question

Hope to help

Giuseppe

0 Helpful

Angelo ANELLO
Level 1
Level 1
In response to Giuseppe Larosa

‎08-24-2011 04:32 PM

Thanks for your reply Giuseppe.

I can tracert to the LAN interface from a different subnet to the router.  e.g.  tracert from .10.xxx subnet to the router .20.xxx subnet

When i try to telnet from the same computer on subnet .10 in a remote location, i am unsuccessful.  if i logon to a server in the same subnet as the router, i can telnet successfully.

could there be a restriction to telnet to this device on another router or firewall?

no ip domain lookup - this is the only router with this setting whereas the other routers have ip domain lookup domain name.  Could it be that the router cannot traverse across the network due to not having the domain identified?

None of the other routers on the network have this issue and it has been since its inclusion. 

Your feedback is appreciated

Grazie

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Angelo ANELLO

‎08-25-2011 01:23 AM

Hi,

no ip domain-lookup will prevent the router from doing DNS requests and it would only be a problem on the device your are telnetting from if you were specifying a name instead of IP address but in this case you would have to configure a dns server or hosts entries in the router.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Angelo ANELLO

‎08-25-2011 07:20 AM

Hello Angelo,

as Alain has correctly noted no ip domain-lookup influences the capability of the router to use a DNS server to resolve an hostname so it has impact only on sessions starting from the router to other device when using hostname instead of remote device IP address

it shouldn't have an effect on the capability of opening a telnet/ssh session to the device itself

Hope to help

Giuseppe

0 Helpful

Angelo ANELLO
Level 1
Level 1
In response to Giuseppe Larosa

‎08-25-2011 05:07 PM

Thanks to all for your replies.

so just to confirm, after looking at the above config, there should be no reason stopping the ability to telnet to this device from a subnet other than the one the interface resides on?

if not, i will try a reboot. 

0 Helpful

ebarticel
Level 4
Level 4
In response to Angelo ANELLO

‎02-15-2012 01:40 AM

Do you have a username and password configured?

It may help

Eugen

0 Helpful

Lawmaker121
Level 1
Level 1

‎02-15-2012 01:20 AM

Sounds like Firewall problem blocking ports.

0 Helpful

Angelo ANELLO
Level 1
Level 1
In response to Lawmaker121

‎02-15-2012 03:39 PM

turns out that the subnet mask was wrong on the WAN interface and therefore was not contactable.  once changed it is now contactable.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card