Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
723
Views
0
Helpful
5
Replies

Help Configuring for Telnet from Remote Site

rlr685rlr
Level 1
Level 1

‎04-23-2005 04:12 PM

I have a Cisco 804 that I want to simply set an access list on the vty lines to allow telnet from "outside". My ISP provides dynamic IP to the outside interface, so mapping that interface IP address isn't really an option. Can I somehow resolve my hostname to my outside host that I use for telnet? Following is my current running-config.

sh running-config

Building configuration...

Current configuration:

!

! Last configuration change at 17:46:56 UTC Sat Apr 23 2005

! NVRAM config last updated at 17:47:04 UTC Sat Apr 23 2005

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname 804RouterCLIcfg

!

no logging monitor

enable secret xxxx

!

!

!

!

!

!

!

--More-- ip subnet-zero

!

ip dhcp pool DHCPpoolLAN_0

network 192.168.0.0 255.255.255.0

dns-server 216.229.xx.xx 216.229.xx.x 192.168.x.xx

default-router 192.168.x.x

!

ip host [name xxx] 0.0.0.0 255.255.255.255

ip host 804Router 192.168.x.x

ip name-server 216.229.xx.xx

isdn switch-type basic-ni

!

!

!

interface Ethernet0

ip address 192.168.x.x 255.255.255.0

ip nat inside

!

interface BRI0

bandwidth 160

no ip address

encapsulation ppp

dialer pool-member 1

--More-- isdn switch-type basic-ni

isdn spid1 xxxxxxxxxxxxxx

isdn spid2 xxxxxxxxxxxxxx

no cdp enable

ppp authentication chap pap callin

ppp multilink

!

interface Dialer1

bandwidth 160

ip address negotiated

ip access-group 110 in

ip nat outside

encapsulation ppp

dialer pool 1

dialer idle-timeout 300

dialer string xxxxxxx

dialer hold-queue 10

dialer load-threshold 2 either

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxx

ppp chap password xxxx

ppp pap sent-username xxxxxx password xxxx

--More-- ppp multilink

!

ip nat inside source list 1 interface Dialer1 overload

no ip http server

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

no logging trap

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 110 deny icmp any any echo

access-list 110 deny tcp any any range ftp 22

access-list 110 deny tcp any any eq smtp

access-list 110 deny tcp any any range 50 51

access-list 110 deny tcp any any eq domain

access-list 110 deny tcp any any range www 81

access-list 110 deny tcp any any eq pop3

access-list 110 deny tcp any any eq ident

access-list 110 deny tcp any any eq 143

access-list 110 deny tcp any any eq 259

access-list 110 deny tcp any any eq 389

access-list 110 deny tcp any any eq 443

access-list 110 deny tcp any any eq 449

access-list 110 deny tcp any any eq 500

--More-- access-list 110 deny tcp any any eq 522

access-list 110 deny tcp any any range 1024 1055

access-list 110 deny tcp any any eq 1720

access-list 110 deny tcp any any eq 5000

access-list 110 permit ip any any

access-list 111 deny udp any eq netbios-dgm any

access-list 111 deny udp any eq netbios-ns any

access-list 111 deny udp any eq netbios-ss any

access-list 111 deny tcp any eq 137 any

access-list 111 deny tcp any eq 138 any

access-list 111 deny tcp any eq 139 any

access-list 111 permit ip any any

dialer-list 1 protocol ip list 111

!

line con 0

exec-timeout 60 0

transport input none

stopbits 1

line vty 0 4

timeout login response 120

password xxxxxx

login

!

--More-- !

end

Labels:
0 Helpful
5 Replies 5

lgijssel
Level 9
Level 9

‎04-23-2005 11:37 PM

Your provider may issue a dynamic dns name to your acount. This name should stay the same altough the ip address changes. You can check this using the "nslookup" command on your pc. If this appears to be the case, you can refer to the dns name instead of the ip address. That should solve your problem.

Regards,

Leo

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to lgijssel

‎04-24-2005 06:50 PM

I find the original post somewhat confusing. What I think I understand is that he wants to create an access list which will be used to control telnet access to the router. He believes that an access list will be difficult to construct because the destination address is not fixed and may change from time to time.

There is a simple solution which does not depend on knowing the destination address. This solution is to configure an access class on the vty ports. An access class generally uses a standard access list and is designed specifically to control remote access to the router. A configuration might look like this if there were three specific hosts and one subnet which you wanted to grant the ability to telnet to the router:

access-list 15 permit 102.102.102.5

access-list 15 permit 150.150.150.6

access-list 15 permit 160.160.160.1

access-list 15 permit 100.1.1.0 0.0.0.63

line vty 0 4

access-class 15 in

One of the advantages of access-class is that you do not need to worry about which interface to assign it to and not worry about which destination address to specify. Also there is an advantage that access-class will only apply the list to packets whose destination is the router where if you use access-group on an interface to control telnet then every packet coming to the interface will have to be examined by the access list.

HTH

Rick

HTH

Rick
0 Helpful

rlr685rlr
Level 1
Level 1
In response to Richard Burts

‎04-24-2005 07:27 PM

You understood my goal perfectly. In fact, I had set the last access-list (different IP and subnet, of course) you described. The implicit deny and application to vty is much simpler than the alternative. My only remaining problem is, the router that I am telnetting is receiving a dynamic IP on the outside from an ISP. The router isn't part of a registered name domain and the ISP hasn't happened to assign a static hostname as part of the ISP account the router is part of Unless someone is at the site to tell me what IP address is hitting the router, how else can I direct a telnet session to it from my remote location? (The 100.1.1.0 0.0.0.63 subnet in your example.)

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to rlr685rlr

‎04-25-2005 04:44 AM

I designed a solution for a customer with a situation similar to yours. I assume that you are doing NAT (or PAT) to translate addresses of devices connected to the inside interface to addresses of the provider address space. For my customer we did not translate the inside addresses to the provider address space. We had the router establish IPSec with GRE tunnels to the headquarters site and ran a routing protocol over the tunnels. This allowed all devices in the customer network to access resources at these remote sites. To telnet to the router we would either telnet to the inside interface address or we would configure a loopback interface with an IP address, make sure that the loopback address was included in the routing protocol, and then telnet to the loopback interface address. And we use access-class on the vty ports to control who has remote access to the router.

HTH

Rick

HTH

Rick
0 Helpful

rlr685rlr
Level 1
Level 1
In response to Richard Burts

‎04-26-2005 05:36 PM

Good, innovative solution. I'm just a trained with little experience CCNA, so actual implementation may be a little more difficult than my actual understanding of what you did-but I think I can get there. I think I can see how your customer could still access typical Internet services as usual, as well as other specific resources at the headquarters site. If I'm incorrect about typical Internet resources, let me know. Otherwise, with a little more self study and appropriate schduling, I'll try to implement and provide a "resolved" mark here as appropriate. Thanks, Rick

0 Helpful
Customers Also Viewed These Support Documents