Solved: Re: Telnet connection from home network

sany98 · ‎05-16-2018

Hi

I'm trying to setup my first home lab but I'm having an issue with telnet from my home network. I have successful connected an router 2811, switch 3560v2 and an pc1. 2811 gets internet access form my home router (netgear) and switch and pc1 gets access through 2811. I can ping 2811 from pc1(192.168.2.2) and have access through telnet. When I try to telnet from pc2(192.168.1.2) to 2811 it doesn't work, however I can ping 2811 and I get answer but no telnet connection. Thank you in advance!

Here is config print:

R3#show running-config

Building configuration...

Current configuration : 1129 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R3

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$lC3V$eShhVLFZQqb2inIdLkRDF0

!

no aaa new-model

!

resource policy

!

ip subnet-zero

!

ip cef

no ip dhcp use vrf connected

!

ip dhcp pool labuser

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

dns-server 8.8.8.8

!

no ftp-server write-enable

!

interface FastEthernet0/0

ip address dhcp

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.2.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface Serial0/0/0

no ip address

shutdown

clockrate 2000000

!

interface Serial0/0/1

no ip address

shutdown

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.1.254

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet0/0 overload

!

access-list 1 permit any

!

control-plane

!

line con 0

line aux 0

line vty 0 4

password cisco

login

!

scheduler allocate 20000 1000

!

end

R3#

Richard Burts · ‎05-16-2018

I believe that the drawing is pretty clear that the router is learning an IP address in the 192.168.1 network via dhcp. So the default route should be ok.

I suspect that the issue with telnet is that the 2811 is configured to do address translation for EVERY packet with source address in 192.168.2 to any destination and is therefore translating the telnet traffic. You probably want to change the ACL so that it does not translate traffic to the 192.168.1 network.

HTH

Rick

HTH

Rick

View solution in original post

Georg Pauwen · ‎05-16-2018

Hello,

the default route looks odd, since you don't have a local interface in the same segment:

ip route 0.0.0.0 0.0.0.0 192.168.1.254

There needs to be an interface in the 192.168.1.0/24 range on your 2811 in order for the default route to work.

On the VTYlines, configure the line in bold:

line vty 0 4
password cisco
login

transport input telnet

Richard Burts · ‎05-16-2018

I believe that the drawing is pretty clear that the router is learning an IP address in the 192.168.1 network via dhcp. So the default route should be ok.

I suspect that the issue with telnet is that the 2811 is configured to do address translation for EVERY packet with source address in 192.168.2 to any destination and is therefore translating the telnet traffic. You probably want to change the ACL so that it does not translate traffic to the 192.168.1 network.

HTH

Rick

HTH

Rick

sany98 · ‎05-17-2018

Thank you Richard! Your suggestion worked! Here is how:
Router(config)#access-list 1 permit 192.168.1.2 0.0.0.0
Router(config)#line vty 0 4
Router(config-line)#access-class 1 in

Thanks again!

Richard Burts · ‎05-17-2018

You are welcome. I am glad that my suggestions were helpful.

HTH

Rick

HTH

Rick

sany98 · ‎05-18-2018

Hi again

Now I have another issue. Telnet works now from pc 192.168.1.2 but pc 192.168.2.2 lost the internet access. It works with permit any, but when I change back to permit 192.168.1.2 it doesn't.

Richard Burts · ‎05-18-2018

The issue here is that you are now using the same access list for two different purposes. In the original post you used access list 1 for the purpose of controlling address translation. There was no access class on your vty lines.

I suggested that the problem was that access list 1 used permit any and this results in translating the attempt to telnet. You then made several changes in the config. You added access class on the vty and you have access class use the same ACL as address translation and you changed access list 1 to remove permit any and replace it with a permit for pc1. The result of this is that traffic from 192.168.2.2 is no longer translated and therefore no longer has Internet access.

I am not sure why you added access class. But using the same access list for both purposes creates this problem. If you want to keep using access class then it needs an ACL different from what nat uses.

HTH

Rick

HTH

Rick

sany98 · ‎05-18-2018

So, If I remove access class, can I simply add new access list 2 with permit any and keep access list 1. Sorry for so many questions but I 've just started my cisco journey :).

Richard Burts · ‎05-21-2018

To respond to your question we need to understand what you will use the access lists for. When an access list is configured it does not do anything on its own. The access list must be applied to something. In the original post you have access list 1 and applied it to address translation. Then you changed the access list and applied the access list to access class. It appears that you were using the same access list for two purposes, which might be all right if the logic in the access list was appropriate for both purposes. But the logic that you need for address translation is probably not the same logic that you need for access class.

The simple answer to your question is that yes you can add access list 2 and keep access list 1. But the really correct answer to the question depends on how you will apply each of the ACL.

HTH

Rick

HTH

Rick

sany98 · ‎05-23-2018

Here is my next challenge

I have added two more of each to my lab setup: routers, switches an pc/laptops, and here is what i have done so far. All routers/pc have internet access, R2 and R3 using ip nat inside on serial ports to get access from R1. Everything works like it should, telnet, ping (from pc 1,2 and 3 to all switches and routers). However from my HomePC i can only telnet into R1 (192.168.1.88) and ping works also. What do i have to do to get the access to 192.168.2, 192.168.3 and 192.168.4 from my HomePC?

here is my static routing setup and the acl on R1:

ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route 11.0.0.0 255.0.0.0 11.0.0.1
ip route 12.0.0.0 255.0.0.0 12.0.0.2
ip route 192.168.4.0 255.255.255.0 11.0.0.1
ip route 192.168.3.0 255.255.255.0 12.0.0.2
!
access-list 1 permit any

sany98 · ‎05-23-2018

Is there anyone who can help me? I have tried back and forward with ip route and acl but I'm probably doing it wrong.

Georg Pauwen · ‎05-23-2018

Hello,

is this a Packet Tracer project ? If so, post the project (pkt) file (rename the .pkt to .jpg first, otherwise the system won't let you upload)...

sany98 · ‎05-23-2018

Hi

Its a real setup, with real routers, switches and laptops in my basement. Packet tracer is just for showing purpose and its not fully complete.

Richard Burts · ‎05-23-2018

Your new config changes mention networks 11.0.0.0 and 12.0.0.0. But I do not see them in your diagram. What are they? Where are they?

HTH

Rick

HTH

Rick

sany98 · ‎05-23-2018

Its serial connections between R2, R1 and R3. I have updated my screenshot a little. It should be enough now.