Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1582
Views
13
Helpful
9
Replies

Router telnet

Go to solution
rahulsaxena_8
Level 1
Level 1

ā€Ž05-18-2017 01:55 PM

Hi 

I am using router 1941, I am able to telnet or ping it from one of my system but I am not able to telnet it from my laptop or other devices.

I want to know how can I telnet a router from my device as well as permit others too to telnet it.

I wish your support.

Labels:
Preview file
75 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

ā€Ž05-18-2017 03:57 PM

Hi 

Stupid question but you can ping this device from your laptop? 

Then you need first to take a look on your router vty lines if an acl had been applied to restrict who can access to it and modify it if necessary. 

If there is no acl right there, you'll need to check if there is an acl on your core switch or even a firewall in between restriction telnet access. 

On your windows do you have some firewall rules restricting access for telnet protocol?

Can you give more details on the config and/or topology to be able to help you out on this issue? 

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to rahulsaxena_8

ā€Ž05-20-2017 11:14 AM

You mention the particular host which can telnet and ping any of the devices and seem to group telnet and ping together. But to answer your question we need to treat them separately. What would allow you to telnet would not necessarily allow you to ping. And what would allow you to ping would not necessarily allow you to telnet.

So let us look first at telnet. To begin we need to recognize that telnet uses the vty ports and control over telnet access is done with the vty ports. The one router that you have shown us uses access-class on its vty ports. Would we be correct to assume that other devices in your network also use access-class on their vty ports? If so then to permit your new laptop (or any other device) to telnet you would need to add an entry in the access list used by access-class to permit the IP of the laptop. You would need to do this on every network device to which you want to telnet.

Control of the ability to ping does not involve the vty ports. So the operation of access-class does not have any impact on ping. If you want to control the ability to ping the network device then you would need to use an access list applied using access-group on the interfaces of the network device. In the access list you could deny ping packets where the destination address of the ping was an interface address of the network device. After denying the ping packets the access list should then permit other traffic. Note that to implement this you would need to deny ping with destination address of any of the device IP addresses (probably needs multiple deny statements). And you would probably need to apply the access list using access-group on each of the interfaces of the network device.

In my experience with many customer networks it is common to want to control telnet (and SSH) access using access-class. It is not very common to want to control ping within the network. Of course you can apply any policy that you believe is appropriate for your network.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

ā€Ž05-18-2017 03:57 PM

Hi 

Stupid question but you can ping this device from your laptop? 

Then you need first to take a look on your router vty lines if an acl had been applied to restrict who can access to it and modify it if necessary. 

If there is no acl right there, you'll need to check if there is an acl on your core switch or even a firewall in between restriction telnet access. 

On your windows do you have some firewall rules restricting access for telnet protocol?

Can you give more details on the config and/or topology to be able to help you out on this issue? 

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Francesco Molino

ā€Ž05-18-2017 05:14 PM

I agree with Francesco that we can not give good answers to your question until it is clarified what is causing the restriction. He asks if you can ping the device from your laptop which is a good way to determine if there is any issue with routing or IP connectivity which certainly could be a cause of the issue. He also asks about access list restriction (access-class on the vty) and in my experience this is the most common cause of symptoms like what you are experiencing.

Once we have a better understanding of what is causing the restriction then we will be able to advise how to resolve it.

HTH

Rick

HTH

Rick

Go to solution
rahulsaxena_8
Level 1
Level 1
In response to Francesco Molino

ā€Ž05-20-2017 07:19 AM

Hi Francesco Molino

My concern is I have configured a new laptop which is in LAN network.

  • This workstation is not able to telnet Router and not able to ping any device.
  • We have one workstation( a particular IP) which is capable do all.

I hope this would help you to solve out my problem and would also request you to please explain below commands.

ip access-list extended PRO
deny udp any any eq 1434
deny tcp any any eq 139
deny tcp any any eq 138
deny tcp any any eq 137
deny udp any any eq netbios-ss
deny udp any any eq 445
deny tcp any any eq 4444
deny udp any any eq 135
deny udp any any eq tftp
deny udp any any eq 995
deny udp any any eq 996
deny udp any any eq 998
deny udp any any eq 999
deny udp any any eq 8998
permit ip any any
deny udp any any eq netbios-ns
deny udp any any eq netbios-dgm
ip access-list extended all
deny icmp any any timestamp-request
deny icmp any any timestamp-reply
permit icmp any any

line con 0
password 7 070C285F4D06
logging synchronous
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 1 in
exec-timeout 5 0
password 7 15331D4D17607A767B70
login local
transport input telnet ssh
line vty 5
access-class 1 in
exec-timeout 5 0
no login
transport input ssh
line vty 6 15
login
transport input ssh
!
scheduler allocate 20000 1000
!
end

Thank you !

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to rahulsaxena_8

ā€Ž05-20-2017 07:45 AM

Hi 

The access-lists you're showing are not applied on your line vty. The one applied is access-list 1, you can view it under the line vty config, you have access-class 1 in that means this acl is filtering access connecting to this device by either telnet and/or ssh.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Francesco Molino

ā€Ž05-20-2017 08:28 AM

Thank you for the additional information. It does make clear that you have access-class applied to your vty. As Francesco has explained your access-class is using access list 1 (which is not included in the post) to limit what devices can telnet to your router. If you want the new laptop to be able to access the router then you need to add to access list 1 a permit for the address of the laptop.

You have posted two access lists and I can comment on a couple of things about them:

- the access list called PRO starts by denying a series of particular protocol ports and then has a permit ip any any which allows all other traffic.

- note that the access list PRO has two more statements after the permit any any

deny udp any any eq netbios-ns
deny udp any any eq netbios-dgm

These lines will never be matched because the access list is processed sequentially and the permit any any matches all traffic.

- the access list called any denies icmp packets for timestamp and permits all other icmp. note that this access list does not match any other type of IP traffic.

- we do not know what these access lists are doing because we do not know how these access lists are applied.

HTH

Rick

HTH

Rick

Go to solution
rahulsaxena_8
Level 1
Level 1
In response to Richard Burts

ā€Ž05-20-2017 09:46 AM

Thank you for timely and helpful replies.

Please let me know one thing....as I mentioned also, in our scenario there is a particular host IP which have all the access in our network, it can telnet any of our branch router or ping any of devices in LAN & WAN.

Kindly suggest how it can be done as I want to apply these access rights to my LAN IP.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to rahulsaxena_8

ā€Ž05-20-2017 11:14 AM

You mention the particular host which can telnet and ping any of the devices and seem to group telnet and ping together. But to answer your question we need to treat them separately. What would allow you to telnet would not necessarily allow you to ping. And what would allow you to ping would not necessarily allow you to telnet.

So let us look first at telnet. To begin we need to recognize that telnet uses the vty ports and control over telnet access is done with the vty ports. The one router that you have shown us uses access-class on its vty ports. Would we be correct to assume that other devices in your network also use access-class on their vty ports? If so then to permit your new laptop (or any other device) to telnet you would need to add an entry in the access list used by access-class to permit the IP of the laptop. You would need to do this on every network device to which you want to telnet.

Control of the ability to ping does not involve the vty ports. So the operation of access-class does not have any impact on ping. If you want to control the ability to ping the network device then you would need to use an access list applied using access-group on the interfaces of the network device. In the access list you could deny ping packets where the destination address of the ping was an interface address of the network device. After denying the ping packets the access list should then permit other traffic. Note that to implement this you would need to deny ping with destination address of any of the device IP addresses (probably needs multiple deny statements). And you would probably need to apply the access list using access-group on each of the interfaces of the network device.

In my experience with many customer networks it is common to want to control telnet (and SSH) access using access-class. It is not very common to want to control ping within the network. Of course you can apply any policy that you believe is appropriate for your network.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
rahulsaxena_8
Level 1
Level 1
In response to Richard Burts

ā€Ž05-20-2017 08:44 PM

Great Thanks for your explanation.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to rahulsaxena_8

ā€Ž05-23-2017 07:52 AM

You are welcome. I am glad that you have found our explanations helpful. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to identify discussions that have helpful information.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents