Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
390
Views
0
Helpful
5
Replies

Unable to telnet from outside Cisco 880

minaezzat
Level 1
Level 1

‎03-01-2016 12:29 PM

Hi,

I am facing an issue with a cisco 880 router. I am not able to telnet to this router from outside using the public IP. I can ping the public ip and i can telnet the RTR from the inside.

Config file is attached for reference.

Appreciate if anyone can suggest the solution to it.

Labels:
Preview file
3 KB
0 Helpful
5 Replies 5

matthay
Cisco Employee
Cisco Employee

‎03-01-2016 01:38 PM

Hi minaezzat,

Would you mind sending me a snapshot of your topology? Specifically, are there any other networking devices between this router and the Internet?

Regards,

Matt

0 Helpful

minaezzat
Level 1
Level 1
In response to matthay

‎03-01-2016 03:28 PM

Hi Matt,
the network is very simple
this 880 router (internet router) connected to L3 Switch which make routing between the internal VLANs so it has a default route pointing to the router internal ip.
there is no any other devices in the network.

0 Helpful

matthay
Cisco Employee
Cisco Employee
In response to minaezzat

‎03-01-2016 05:43 PM

Thank you Minaezzat,

The first thing we need to do is check for basic connectivity.  Are you able to ping the outside interface of your router from a computer outside of your network?  If so, then please check your external ip using the following website ipchicken.com.

After confirming basic connectivity, we want to make sure that telnet traffic is reaching the router.  This can be done by applying an ACL to the outside interface (vlan799 in your case) using the following configuration:

conf t
!
ip access-list ex TELNETTEST
permit tcp host <ip from ipchicken.com> any eq 23
permit ip any any  

int vlan 799
ip access-group TELNETTEST in

After applying the access-list, attempt to connect to the outside interface of your router and check the counters on the ACL.  If you have matches, then your telnet traffic is arriving on your router. 

If telnet packets are arriving please enable the following debug, try and connect, and send me the output.  You will need to enable debug level syslogs in the loggging buffer and increase the buffer size from the default to ensure all of the relevant logs are gathered.  You can do this using the following configuration.

conf t
!
logging buffer 100000 7
!
end
debug telnet

Try to connect two or three times and collect the logs (show log) and send me the output.

These steps will allow us to ensure that the packets are arriving at your router and hopefully determine why telnet access is failing.  

Thank you for your time,

Matt

0 Helpful

minaezzat
Level 1
Level 1
In response to matthay

‎03-02-2016 12:12 AM

Dear Matthay,

actually i can't ping VLAN 799 IP from the outside
i can ping and trace route VLAN 10 IP

interface Vlan10
 ip address y.y.y.y 255.255.255.248 secondary
 ip address 192.168.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1000
 load-interval 30

y.y.y.y is a public IP which i can ping .

0 Helpful

matthay
Cisco Employee
Cisco Employee
In response to minaezzat

‎03-03-2016 10:13 AM

Hi Minaezzat. Forgive me for the delay.

I noticed that your default route is pointing to an address that is in the same subnet as  the NAT outside address (z.z.z.z). I find it interesting that you don't have connectivity to this address and that you are attempting to connect using y.y.y.y. as your public IP considering it is the NAT inside address. Is your default route pointing to an ISP or to a network that is part of your organization?

0 Helpful
Customers Also Viewed These Support Documents