03-07-2014 05:33 PM - edited 03-07-2019 06:35 PM
I cannot telnet or ssh into my 1841 router from within the network.. I am able to telnet/ssh into the device from an external source.
below is a copy of my configs:
Building configuration...
Current configuration : 2590 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Lab
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$IjDg$vj14Kiby4ByikypGwD/SC.
enable password 7 09461E084C1C131705
!
aaa new-model
!
!
aaa authentication login default local
!
!
aaa session-id common
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.1.5
ip dhcp excluded-address 192.168.2.2
!
ip dhcp pool switch
network 192.168.1.0 255.255.255.0
default-router 192.168.1.5
dns-server 200.1.104.35 200.1.104.36
!
ip dhcp pool TEST
network 192.168.2.0 255.255.255.0
default-router 192.168.2.2
dns-server 200.1.104.35 200.1.104.36
!
!
ip cef
ip domain lookup source-interface FastEthernet0/0
ip domain name test
ip name-server 200.1.104.35
ip name-server 200.1.105.36
multilink bundle-name authenticated
!
!
!
!
!
username admin privilege 15 password 7 060C00374D400710
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
interface FastEthernet0/0
ip address 192.168.0.5 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.5 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.2.2 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip default-gateway 192.168.0.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
no ip http server
no ip http secure-server
!
ip nat pool Jason 192.168.1.1 192.168.1.200 prefix-length 24
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source list 7 pool admin overload
ip nat inside source static tcp 192.168.1.5 33 interface FastEthernet0/0 3333
ip nat inside source static tcp 192.168.0.5 22 interface FastEthernet0/0 2222
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 7 permit 192.168.1.0 0.0.0.31
access-list 7 permit 192.168.1.0 0.0.0.255
!
!
control-plane
!
!
line con 0
password 7 09464F1A160B
logging synchronous
line aux 0
line vty 0 4
logging synchronous
transport input ssh
line vty 5 14
logging synchronous
transport input ssh
line vty 15
transport input ssh
!
scheduler allocate 20000 1000
03-17-2014 03:24 PM
03-17-2014 06:54 PM
hey paul,
i have no firewall on the lan host. i also turned off all security settings on the connecting device, but i am met with the same result
03-19-2014 02:12 PM
Hi there,
SSH is not configured properly, below command is missing :
crypto key generate rsa
You are not able to telnet because you have issued "transport input SSH " command under VTY lines which disables telnet.
Also "login local" or
line vty 0 4
login
password <password>
commands are missing under VTY lines and console.
03-27-2014 07:43 AM
This is a curious and somewhat misleading response.
First of all the crypto key generate command never shows up in the running configuration. And the original post tells us that access does work from outside. So that pretty much says that SSH is correctly configured.
And the configuration certainly does not need login local or a password on the vty. It has this in the configuration
aaa new-model
aaa authentication login default local
and they superceed both login local and the password on the vty.
I agree with a couple of previous responses that the configuration only allows SSH access and not telnet. If you really want telnet access then the vty should specify transport input telnet ssh. Is it possible that attempts to access the router from inside were using telnet and not SSH?
If access to the router from outside is successful then I do not see anything in the config that would prevent access from inside, other than perhaps some issue with the source address of the attempt to access the router.
HTH
Rick
04-03-2014 09:01 PM
04-04-2014 08:37 AM
This is an interesting response and it made me look more closely at this aspect of the config. Let me first respond to the point of this response. In general there is not a problem if you assign an IP address to the physical interface (or the root level as you phrase it) if there will be trunking to a switch on that interface. Assigning an IP to the physical interface just means that it will process the untagged frames for the native vlan.
However I believe that this response does indeed point out the problem that is impacting access to the router from addresses inside. Not only is there an IP address on the physical interface (so it would try to process for the native vlan) but there is also a subinterface configured that also is trying to process for the native vlan. And the subinterface address is a different subnet.
interface FastEthernet0/1
ip address 192.168.1.5 255.255.255.0
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.2.2 255.255.255.0
So the original poster needs to figure out which address is the one that agrees with devices connected in that vlan and then to remove the extra interface address.
HTH
Rick
03-17-2014 06:42 PM
I think you do not have telnet enabled.
Either use transport input all or transport input ssh telnet on the vty ports. Check to see if this switch supports encryption.
03-17-2014 06:51 PM
Hi all
with telnet/ssh or transport input all, i remain with the same result. unable to log in. there is a connection however there is no log in prompt.
03-18-2014 06:25 AM
What IP address are you using to connect to the device?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide