Solved: c2911 router can not telnet outside network

gdy1039 · ‎12-14-2016

Hi:

I have a c2911 router, have a not stable problem. which is can not connect to outside mail server 110 port, also fail by telnet test.

but I can ping success and seems open web site normal.

if I use "clear ip nat translation *" , it seems problem will gone.

I try to check show ip nat statis, active is about 13xxx.

would you please help to troubleshoot this problem?

please forgive my weak English.

Thank you.

below is show version

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.4(3)M3, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Fri 05-Jun-15 13:24 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)

Router2911-1 uptime is 16 hours, 3 minutes
System returned to ROM by reload at 17:18:15 beijing Wed Dec 14 2016
System restarted at 17:21:37 beijing Wed Dec 14 2016
System image file is "flash0:c2900-universalk9-mz.SPA.154-3.M3.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco CISCO2911/K9 (revision 1.0) with 487424K/36864K bytes of memory.
Processor board ID FGL20091083
3 Gigabit Ethernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
255488K bytes of ATA System CompactFlash 0 (Read/Write)

License Info:

License UDI:

-------------------------------------------------
Device# PID SN
-------------------------------------------------
*1 CISCO2911/K9 FGL20091083

Technology Package License Information for Module:'c2900'

------------------------------------------------------------------------
Technology    Technology-package                  Technology-package
              Current              Type           Next reboot
------------------------------------------------------------------------
ipbase        ipbasek9             Permanent      ipbasek9
security      securityk9           Permanent      securityk9
uc            None                 None           None
data          None                 None           None
NtwkEss       None                 None           None
CollabPro     None                 None           None

Configuration register is 0x2102

Router2911-1#

Connection to host lost.

gdy1039 · ‎12-15-2016

this network is not design by me.

But I think it's normal, because of this network IT policy is deny most subnet and deny network device connect internet. only permit exactly define subnet can be connect.

for example my test is under 10.10.12.0/24 and 192.168.88.0/24

this is a not stable problem, when it work it's using this config, when not work it's also using this config.

user said problem had happen many times.

I had not test too much. right now I am think about below question and will test with it once it happen again.

1: does this problem only happen for TCP connection? if yes why web browser seem working?

2: does it only for specify mail server, maybe we need try to test other outside mailbox when it happen.

I want to try to update IOS， I found 15.5.3M4a is release and suggest.

but I don't have permission download.

and do you know this version is fit for my box?

I also add this command to see if it can help.

ip nat translation timeout 28800

Thanks your quick reply, I never see a forum will reply so quickly and responsibility .

Thank you.

View solution in original post

Bobby Stojceski · ‎12-14-2016

Could you provide your "sh run" config to review.

gdy1039 · ‎12-15-2016

please kindly have a look at attachment.

Thank you.

Bobby Stojceski · ‎12-15-2016

What is the source and destination addresses you are using? I'm just trying to understand your interface configurations and the flow of packets you need. I imagine Gig0/0 is your WAN link and that the mail server is out on the WAN somewhere since you said 'external mail server'?

Are you trying to contact a mail server on port 110 (in the WAN) from a device on the Gig0/1 interface?

gdy1039 · ‎12-15-2016

Dear Bobby

yes, lan is under g0/1, and email server is host at internet which connect with g0/0

I am trying to connect from g0/1 pass g0/0 then connect internet email server.

Thank you.

Bobby Stojceski · ‎12-15-2016

You seem to be denying your Gi0/1 interface's subnet (192.168.200.0/24) from being NAT'ed to the Internet (or rather back the other way). You have it denied with the line

ip access-list deny ip any 192.168.0.0 0.0.255.255 <<< this includes 192.168.200.0

Any reason you want to deny the LAN subnet in this way? You can try and add this line above that somewhere:

ip access-list 100 permit ip 192.168.200.0 0.0.0.255 any

gdy1039 · ‎12-15-2016

this network is not design by me.

But I think it's normal, because of this network IT policy is deny most subnet and deny network device connect internet. only permit exactly define subnet can be connect.

for example my test is under 10.10.12.0/24 and 192.168.88.0/24

this is a not stable problem, when it work it's using this config, when not work it's also using this config.

user said problem had happen many times.

I had not test too much. right now I am think about below question and will test with it once it happen again.

1: does this problem only happen for TCP connection? if yes why web browser seem working?

2: does it only for specify mail server, maybe we need try to test other outside mailbox when it happen.

I want to try to update IOS， I found 15.5.3M4a is release and suggest.

but I don't have permission download.

and do you know this version is fit for my box?

I also add this command to see if it can help.

ip nat translation timeout 28800

Thanks your quick reply, I never see a forum will reply so quickly and responsibility .

Thank you.

gdy1039 · ‎01-08-2017

after I add above command, problem gone,

Thank you everybody

Tausif Gaddi · ‎01-09-2017

IT Policy on the network may be causing this, please recheck.