cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4592
Views
0
Helpful
27
Replies

Unable to TELNET to external router (1 way) in my 2-site home network

Mletendr1
Level 1
Level 1

All, 

 

I have been working on what I am willing to bet is a simple issue, but I just can't get past it.

SCENARIO:
I have a site in Illinois and a site in Connecticut. Each site is basically the same.
They each have a Cisco 2621 router running c2600-ipbase-mz.122-16.4.t image.
Each router has a NM-16-ESW card. Each FA0/0 is configured for DHCP from the broadband providers (Comcast/Atlantic BB).  I have included the running-config for the Connecticut site below.


From Connecticut, I can telnet to  the IL router, based on the nat forward I have added, I am

able to RDP to my workstation in IL.
From CT, I can telnet to both of the CT router Interface FA0/0 & 0/1.

From IL, I can ping CT router, but I can not Telnet to it. 

Other than that, both networks are working just fine from an operational perspective.
Email works, VPN to corp network works, my kids are able to stream multiple systems at the same time.
I am watching football through an RDP session from CT to IL, and sound and video is great.

Can you please review the run config below and maybe offer some insight as to what might be the issue?
Like I say, I have been working on this since Friday. I have been on this forum and several others.
I have reviewed over 150 documents . And while I have learned a lot about making small changes to improve overall function, I have not been able to fine anything that will help resolve this telnet connection thing.

Building configuration...

Current configuration : 2239 bytes
!
! Last configuration change at 10:07:06 EDT Sun Oct 22 2017
! NVRAM config last updated at 09:05:55 EDT Sun Oct 22 2017
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CTDNLSN001
!
logging queue-limit 100
enable secret 5 $1$rSRO$O156CNXzcCNim8ZLW1urx.
enable password XXXXXXXX
!
clock timezone EASTERN -5
clock summer-time EDT recurring
ip subnet-zero
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.200
ip dhcp excluded-address 192.168.1.251 192.168.1.255
!
ip dhcp pool INSIDE-DHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.2
dns-server 172.85.30.3 172.85.30.5
lease 30
!
ip cef
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
duplex auto
speed 100
!
interface FastEthernet0/1
description INSIDE-DHCO FA0/0
ip address 192.168.1.2 255.255.255.0
ip nat inside
duplex auto
speed 100
!
interface FastEthernet1/0
switchport priority override
no ip address
speed 100
!
interface FastEthernet1/1
no ip address
speed 100
!
interface FastEthernet1/2
no ip address
speed 100
!
interface FastEthernet1/3
no ip address
speed 100
!
interface FastEthernet1/4
no ip address
speed 100
!
interface FastEthernet1/5
no ip address
speed 100
!
interface FastEthernet1/6
no ip address
speed 100
!
interface FastEthernet1/7
no ip address
speed 100
!
interface FastEthernet1/8
no ip address
speed 100
!
interface FastEthernet1/9
no ip address
speed 100
!
interface FastEthernet1/10
no ip address
speed 100
!
interface FastEthernet1/11
no ip address
speed 100
!
interface FastEthernet1/12
no ip address
speed 100
!
interface FastEthernet1/13
no ip address
speed 100
!
interface FastEthernet1/14
no ip address
speed 100
!
interface FastEthernet1/15
no ip address
speed 100
!
interface Vlan1
no ip address
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip classless
!
ip http server
!
access-list 1 permit any
access-list 1 permit 192.168.1.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
password XXXXXXX
login local
transport input pad telnet rlogin mop udptn v120
!
ntp clock-period 17180078
ntp server 129.6.15.28
!
!
end

+++++++++++++++++++++++++++++++++++++++++++++++++++++

Regards, 

Marty

 

27 Replies 27

Just to recap @Mletendr1

 

You are not able to telnet from CT to IL, right ?

The Telnet connection is from CT´s router or some PC connected to CT´s router?

Any other communication is ok, right?

Both router has DHCP on its interface with ISP, right? How do you know to which IP address you need to send Telnet request if you actually dont have access to see the IP address? 

 

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

No, 

 

IL has been up and running for over a year. I can telnet to it from anywhere.

I have just added the CT site and I am in CT. I can telnet to IL.

am unable to telnet to CT. 

Well, both Router has the same config.  Maybe you dont have a local problem.Maybe you service provider is blocking this connection. If I were you I´d talk to them.

 

 

 

-If I helped you somehow, please, rate it as useful.-

Once I turn up ther outer, I run a SHO INERT FA0/0 and it shows me the IP address. I test it by pinging it. I can ping the router in CT from IL and from my smart phone app. 
As in the case of IL, my IP lease is 30 days, and I get the same IP each time it expires.
In CT, the IP expires ever 4 hours. I still keep the IP but like I pointer out in my post from today, my IP address is 206.53.69.208/22

But the routing that I am getting from my ISP is

206.53.68.0/22
So I am guessing that while I can make connections outbound, 

 

Gateway of last resort is 206.53.68.1 to network 0.0.0.0

C 192.168.1.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [254/0] via 206.53.68.1
C 206.53.68.0/22 is directly connected, FastEthernet0/0
CTDNLSN001#

Routing is correct:

206.53.68.0/22
HostMin:   206.53.68.1        First IP   
HostMax: 206.53.71.254 Last IP

 

I have called them several times. But I am starting to believe it must be on their side.
Thanks much. I will make one more update after I call them before I mark this as resolved. 

In the original post you had configured under the vty lines login local. In subsequent configs you changed it to just login. Is that correct? Note that login local with no configured user name would fail authentication and produce pretty much the symptom of telnet not working.

 

Also there seems to be some confusion about your IP addressing. You say "my internet facing port is: 206.53.69.208/22". Then you seem to be concerned that the routing table indicates 206.53.68.0. With a /22 mask this would start at 206.53.68.0 and extend through 206.53.71.255 and clearly that does include your IP address.

 

I have seen some situations where doing nat with an access list that has permit any seems to impact doing telnet to the router. It might be worth changing access list 1 so that it just permits your network of 192.168.1.0. But if both routers are running exactly the same version of code and both have the access list with permit any and one of them works ok, then that suggests that the nat would not be the issue.

 

HTH

 

rick

HTH

Rick

Hi Rich, 

 

Thanks for the info. I have read many of your solutions on this site. Very helpful. So  please accept my many thanks for all the work you have done with others, as it has helped me a lot.

I have made many changes over the last week. Including the Permit 192.168.1.0, and it did not help. And to your point about both sites are identical. I agree. I went so far as, this morning, I telnet'd to the IL site, copied the startup-config and copied it to CT. I made the obvious changes: host name, and DNS-Servers for DHCP, updated the clock configs. 
Saved it to running config and write to mem.
Now these 2 systems are literally running the same config. And it still will not let me in.
I have opened a ticket with Atlantic BB (my ISP) and I am waiting for an tier 3 engineer to call me back. As I mentioned in my last post, once I work with them, I will post another (or final) update.

Thanks again.

Marty

 

Marty

 

Thank you for the kind words. I am glad that you have found my contributions to be helpful.

 

I agree that it may be helpful to talk about this with your ISP. But I am not convinced that they are blocking the telnet traffic. In a post early in this discussion you posted debug output which shows that your router is receiving (and sending) telnet traffic.

Oct 23 00:04:14.144: TCP66: Telnet sent DO WINDOW-SIZE (31)
Oct 23 00:04:14.156: TCP66: Telnet received WILL WINDOW-SIZE (31)
Oct 23 00:04:14.156: TCP66: Telnet received WILL TTY-SPEED (32) (refused)
Oct 23 00:04:14.156: TCP66: Telnet sent DONT TTY-SPEED (32)
Oct 23 00:04:14.160: TCP66: Telnet received WILL TTY-TYPE (24)

If the ISP were blocking then how are you receiving those telnet packets?

 

In addition to making sure that the configs are the same it would be nice to verify that they are running exactly the same code. Would you post the output of show version from both routers (looking especially for the image name in the output).

 

HTH

 

Rick

 

HTH

Rick

Rich, 

 

The info you requested is listed below.

I had to load the ios to each router just to make teh NM-16-ESW card to work.

I only have 1 image that supports the card, so I know they are the same.

Illinois is in Blue / Connecticut is in Green 

As for the debug data, it only appeared when I ran telnet from inside Connecticut. 
When I telnet from IL, there is no debug data.

 

Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IPBASE-M), Version 12.2(16.4)T, MAINTENANCE INTERIM SOFTWARE\nTAC Support: http://www.cisco.com/tac\nCopyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Wed 26-Feb-03 15:34 by ccai
Image text-base: 0x80008098, data-base: 0x80F894A8

ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
ROM: C2600 Software (C2600-IPBASE-M), Version 12.2(16.4)T, MAINTENANCE INTERIM SOFTWARE\nTAC Support: http://www.cisco.com/tac\nCopyright (c) 1986-2003 by cisco Systems, Inc.

ILROUND001 uptime is 1 week, 4 days, 6 hours, 35 minutes
System returned to ROM by reload
System restarted at 05:49:50 CDT Fri Oct 13 2017
System image file is "flash:c2600-ipbase-mz.122-16.4.T"

cisco 2621 (MPC860) processor (revision 0x102) with 59392K/6144K bytes of memory.
Processor board ID JAB0352012X (1671350487)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.

 


Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IPBASE-M), Version 12.2(16.4)T, MAINTENANCE INTERIM SOFTWARE\nTAC Support: http://www.cisco.com/tac\nCopyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Wed 26-Feb-03 15:34 by ccai
Image text-base: 0x80008098, data-base: 0x80F894A8

ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE (fc1)
ROM: C2600 Software (C2600-IPBASE-M), Version 12.2(16.4)T, MAINTENANCE INTERIM SOFTWARE\nTAC Support: http://www.cisco.com/tac\nCopyright (c) 1986-2003 by cisco Systems, Inc.

CTDNLSN001 uptime is 16 hours, 34 minutes
System returned to ROM by power-on
System restarted at 20:53:16 EASTERN Mon Oct 23 2017
System image file is "flash:c2600-ipbase-mz.122-16.4.t"

cisco 2621XM (MPC860P) processor (revision 0x401) with 124928K/6144K bytes of memory.
Processor board ID JHY0915K0C6 (436613089)
M860 processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.

Marty

 

Thank you for the information confirming that both routers are running exactly the same code. Even a small difference in version can cause differences in behavior two routers. But that is obviously not the case here.

 

I misunderstood the context of the debug output. Just to be sure that I am asking the right question - if you turn on debug telnet on the CT router and attempt to telnet from IL to CT then there is no debug output? You have tested this condition? If you have tested exactly this and got no output, then it does point toward the ISP filtering that traffic.

 

HTH

 

Rick

HTH

Rick

Rick, 

 

That is exactly correct. I just ran it again to verify.

Telnet from IL does nothing. The sessions timed out.
Telnet from CT and I I get the same output as yesterday.

 

Thanks again for all you help. I will mark this as resolved.

If I get a resolution from the ISP, I will add it in for future reference.

You guys really Rock!!

Marty

 

I am glad that our suggestions have been helpful. I look forward to reading what your ISP says and whether they are indeed blocking the telnet traffic. The fundamental issue was that you had two routers that were exhibiting different behavior and we followed a good methodology in examining this issue.

First we looked for issues in the config that might cause the different behavior. You verified that other than a few obvious differences (host name, IP address) they were using the same config.

Second when we were sure that it was not a config issue we looked for differences in IOS version.

Third when we were sure that both routers were running the same version of code we looked for differences in their operating environment. I hope that this does lead you to finding the source of the problem.

 

HTH

 

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: