cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4773
Views
0
Helpful
9
Replies

Cannot telnet/ssh into an 1841 router from within the network

jahblessed0205
Level 1
Level 1

I cannot telnet or ssh into my 1841 router from within the network.. I am able to telnet/ssh into the device from an external source.

below is a copy of my configs:

Building configuration...

Current configuration : 2590 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Lab

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable secret 5 $1$IjDg$vj14Kiby4ByikypGwD/SC.

enable password 7 09461E084C1C131705

!

aaa new-model

!

!

aaa authentication login default local

!

!

aaa session-id common

dot11 syslog

ip source-route

!

!

ip dhcp excluded-address 192.168.1.1

ip dhcp excluded-address 192.168.2.1

ip dhcp excluded-address 192.168.1.5

ip dhcp excluded-address 192.168.2.2

!

ip dhcp pool switch

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.5

   dns-server 200.1.104.35 200.1.104.36

!

ip dhcp pool TEST

   network 192.168.2.0 255.255.255.0

   default-router 192.168.2.2

   dns-server 200.1.104.35 200.1.104.36

!

!

ip cef

ip domain lookup source-interface FastEthernet0/0

ip domain name test

ip name-server 200.1.104.35

ip name-server 200.1.105.36

multilink bundle-name authenticated

!

!

!

!

!

username admin privilege 15 password 7 060C00374D400710

archive

log config

  hidekeys

!

!

ip ssh version 2

!

!

!

interface FastEthernet0/0

ip address 192.168.0.5 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.1.5 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1.1

encapsulation dot1Q 1 native

ip address 192.168.2.2 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip default-gateway 192.168.0.1

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.0.1

!

no ip http server

no ip http secure-server

!

ip nat pool Jason 192.168.1.1 192.168.1.200 prefix-length 24

ip nat inside source list 1 interface FastEthernet0/0 overload

ip nat inside source list 7 pool admin overload

ip nat inside source static tcp 192.168.1.5 33 interface FastEthernet0/0 3333

ip nat inside source static tcp 192.168.0.5 22 interface FastEthernet0/0 2222

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 7 permit 192.168.1.0 0.0.0.31

access-list 7 permit 192.168.1.0 0.0.0.255

!

!

control-plane

!

!

line con 0

password 7 09464F1A160B

logging synchronous

line aux 0

line vty 0 4

logging synchronous

transport input ssh

line vty 5 14

logging synchronous

transport input ssh

line vty 15

transport input ssh

!

scheduler allocate 20000 1000

9 Replies 9

Hello I assume you are trying to ssh and not Telnet Do you have any software firewall enabled on the LAN hosts? Res Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

hey paul, 

 

i have no firewall on the lan host. i also turned off all security settings on the connecting device, but i am met with the same result

Hi there,

 SSH is not configured properly, below command is missing :

crypto key generate rsa

You are not able to telnet because you have issued "transport input SSH  " command under VTY lines which disables telnet.

Also "login local"  or

line vty 0 4
login
password <password>

 

commands are missing under VTY lines and console.

This is a curious and somewhat misleading response.

 

First of all the crypto key generate command never shows up in the running configuration. And the original post tells us that access does work from outside. So that pretty much says that SSH is correctly configured.

 

And the configuration certainly does not need login local or a password on the vty. It has this in the configuration

aaa new-model

aaa authentication login default local

and they superceed both login local and the password on the vty.

 

I agree with a couple of previous responses that the configuration only allows SSH access and not telnet. If you really want telnet access then the vty should specify transport input telnet ssh. Is it possible that attempts to access the router from inside were using telnet and not SSH?

 

If access to the router from outside is successful then I do not see anything in the config that would prevent access from inside, other than perhaps some issue with the source address of the attempt to access the router.

 

HTH

 

Rick

HTH

Rick

What address are you trying to ssh into? I was always told not to put an IP address on an interface at the "root" level if you were going to use sub-interfaces. Other than not being able to hit the vty ports from the internal network, is this router working correctly?

This is an interesting response and it made me look more closely at this aspect of the config. Let me first respond to the point of this response. In general there is not a problem if you assign an IP address to the physical interface (or the root level as you phrase it) if there will be trunking to a switch on that interface. Assigning an IP to the physical interface just means that it will process the untagged frames for the native vlan.

 

However I believe that this response does indeed point out the problem that is impacting access to the router from addresses inside. Not only is there an IP address on the physical interface (so it would try to process for the native vlan) but there is also a subinterface configured that also is trying to process for the native vlan. And the subinterface address is a different subnet.

 

interface FastEthernet0/1

ip address 192.168.1.5 255.255.255.0

interface FastEthernet0/1.1

encapsulation dot1Q 1 native

ip address 192.168.2.2 255.255.255.0

 

So the original poster needs to figure out which address is the one that agrees with devices connected in that vlan and then to remove the extra interface address.

 

HTH

 

Rick

HTH

Rick

Smalls1232
Level 1
Level 1

I think you do not have telnet enabled.

 

Either use transport input all or transport input ssh telnet on the vty ports. Check to see if this switch supports encryption.

 

 

jahblessed0205
Level 1
Level 1

Hi all

with telnet/ssh or transport input all, i remain with the same result. unable to log in. there is a connection however there is no log in prompt.

fredareid
Level 1
Level 1

What IP address are you using to connect to the device?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: