Solved: Telnet session blocked

ahmed-aftab · ‎03-26-2011

we have a branch office and after allowing user to access internet in branch office i am unable to telnet to branch office router from internet. given below is router config of branch office

Building configuration...

Current configuration : 1901 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$uiYN$LFoF7dtH2wm8haGjFIXRO/

!

no aaa new-model

!

resource policy

!

ip cef

!

username scg privilege 15 secret 5 $1$n1xQ$Rlf9XVA67WZ5lxPKPyUo90

!

controller DSL 0

line-term cpe

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key x.x.x.x address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set TSET esp-3des esp-md5-hmac

!

crypto dynamic-map DMAP 1000

set transform-set TSET

set pfs group2

match address 100

!

crypto dynamic-map vpn 20

set pfs group5

match address 100

!

crypto map SMAP 10 ipsec-isakmp dynamic DMAP

!

crypto map vpn 20 ipsec-isakmp dynamic vpn

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet0

switchport access vlan 10

!

interface FastEthernet1

switchport access vlan 20

!

interface FastEthernet2

switchport access vlan 30

!

interface FastEthernet3

!

interface Vlan1

no ip address

!

interface Vlan10

ip address 94.x.x.x 255.255.255.248

ip nat outside

ip virtual-reassembly

crypto map SMAP

!

interface Vlan20

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan30

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip route 0.0.0.0 0.0.0.0 94.x.x.x

!

no ip http server

no ip http secure-server

ip nat inside source list 101 interface Vlan10 overload

!

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip any any

!

control-plane

!

line con 0

no modem enable

line aux 0

line vty 0 4

privilege level 15

login local

!

scheduler max-task-time 5000

end

Haris P · ‎03-26-2011

Dear Aftab ,

access-list 100 is for your VPN traffic .

All the traffic from your LAN 192.168.0.0/24 to your remote branch network should be matched with this ACL and your statements were correct

Access-list 101 was for your NAT access-list .

In this one you have to deny the VPN traffic and you have to NAT all other traffic from your LAN(192.168.0.0/24) to internet

so your statement should be for NATting all traffic from your LAN to outside .

Is it clear ? Please rate the useful comments

Regards

Haris P

View solution in original post

Haris P · ‎03-26-2011

Dear ,

You nat access-list 101 seems to be having permit any any , instead define 101 as given below and please let me know the output after that

!
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any

Regards,

Haris

ahmed-aftab · ‎03-26-2011

Dear Haris

Thank you for your kind support it worked will you please explain how it does and did it make any effect on my vpn

thanks & regards

Aftab Ahmed

Haris P · ‎03-26-2011

Dear Aftab ,

access-list 100 is for your VPN traffic .

All the traffic from your LAN 192.168.0.0/24 to your remote branch network should be matched with this ACL and your statements were correct

Access-list 101 was for your NAT access-list .

In this one you have to deny the VPN traffic and you have to NAT all other traffic from your LAN(192.168.0.0/24) to internet

so your statement should be for NATting all traffic from your LAN to outside .

Is it clear ? Please rate the useful comments

Regards

Haris P