1 2 Previous Next 16 Replies Latest reply: Nov 6, 2015 2:10 AM by Nuno RSS

    Can't telnet router from outside

    Saleem

      I'm able to telnet using internal IPs but not from outside. There is no ACL. Kindly advise.

        • 1. Re: Can't telnet router from outside
          HMR

          Hi saleem,

           

          which router do you have ? kindly post the running-config that will help to find problem in more concise way

          • 2. Re: Can't telnet router from outside
            Saleem

            hi HMR,

             

            Please find the running config below.

             

            RO#sh run

             

            Building configuration...

             

             

             

            Current configuration : 6059 bytes

             

            !

             

            version 12.4

             

            service timestamps debug datetime msec

             

            service timestamps log datetime msec

             

            service password-encryption

             

            !

             

            hostname RO-XYZ

             

            !

             

            boot-start-marker

             

            boot system flash c2800nm-adventerprisek9-mz.124-25f.bin

             

            boot-end-marker

             

            !

             

            logging buffered 4096 debugging

             

            enable secret 5 $1$.jbF$pnkYoEPHEKEFuUZ5Nl.bH1

             

            !

             

            no aaa new-model

             

            !

             

            !

             

            ip cef

             

            no ip dhcp use vrf connected

             

            ip dhcp excluded-address X.X.X.1 X.X.X.25

             

            ip dhcp excluded-address X.X.X.1 X.X.X.25

             

            !

             

            ip dhcp pool XYZ-DATA

             

               network X.X.X.0 255.255.255.0

             

               default-router X.X.X.1

             

               dns-server X.X.X.1

             

            !

             

            ip dhcp pool XYZ-VOICE

             

               network X.X.X.0 255.255.255.0

             

               default-router X.X.X.1

             

               option 176 ascii MCIPADD=10.70.3.5,MCPORT=1719,L2Q=1,L2QVLAN=3,VLANTEST=60

             

               option 242 ascii MCIPADD=X.X.X.5,MCPORT=1719,L2Q=1,L2QVLAN=3,VLANTEST=60,HTTPSRVR=0.0.0.0

             

               dns-server X.X.X.1

             

            !       

             

            !       

             

            ip flow-cache timeout inactive 10

             

            ip flow-cache timeout active 5

             

            ip domain name XYZ-ins.com

             

            ip host autodiscover.saicoins.com X.X.X.30

             

            ip host citrixapps.XYZ-ins.com X.X.X.101

             

            ip host outlook.XYZ-ins.com X.X.X.230

             

            ip host mail.XYZ-ins.com X.X.X.30

             

            ip host auhcdr.XYZ-ins.com X.X.X.84

             

            ip host itsupport.XYZ-ins.com X.X.X.73

             

            ip host autodiscover.XYZ-ins.com X.X.X.30

             

            ip host proxy.XYZ-ins.com X.X.X.30

             

            ip name-server 8.8.8.8

             

            ip name-server 8.8.4.4

             

            ip auth-proxy max-nodata-conns 3

             

            ip admission max-nodata-conns 3

             

            ip ddns update method DynDNS

             

            HTTP   

             

              add http://035CsI-XYZ-ddns:XYZDDNS-2k11@members.dyndns.org/nic/update?system=dyndns&hostname=rt-auh-XYZ.XYZ-ins.com&myip=XYZDDNS-2k11@members.dyndns.org/nic/update?system=dyndns&hostname=rt-auh-XYZ.XYZ-ins.com&myip=<a>

             

            interval maximum 28 0 0 0

             

            interval minimum 28 0 0 0

             

            !       

             

            !       

             

            !       

             

            voice-card 0

             

            no dspfarm

             

            !       

             

            crypto pki token default removal timeout 0

             

            !              

             

            username cisco privilege 15 secret 5 $1$jPW0$RyWBKPLJbK4sKVdK2XW6I.

             

            username admin password 7 06070B731C1F59170A01

             

            archive 

             

            log config

             

              hidekeys

             

            !       

             

            crypto isakmp policy 10

             

            encr 3des

             

            authentication pre-share

             

            crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

             

            !       

             

            crypto ipsec security-association replay window-size 1024

             

            !       

             

            crypto ipsec transform-set ESP-3DES esp-3des

             

            mode transport

             

            !       

             

            crypto ipsec profile DMVPN

             

            set transform-set ESP-3DES

             

            !       

             

            bba-group pppoe global

             

            !       

             

            !       

             

            interface Tunnel0

             

            bandwidth 4000

             

            ip address X.Y.Z.72 255.255.255.0

             

            no ip redirects

             

            ip mtu 1400

             

            ip flow egress

             

            no ip next-hop-self eigrp 10

             

            ip nat inside

             

            ip nhrp authentication cisco

             

            ip nhrp map multicast dynamic

             

            ip nhrp map multicast A.B.C.D

             

            ip nhrp map X.Y.Z.1 A.B.C.D

             

            ip nhrp network-id 1000

             

            ip nhrp holdtime 360

             

            ip nhrp nhs X.Y.Z.1

             

            ip nhrp registration no-unique

             

            ip virtual-reassembly

             

            ip tcp adjust-mss 1370

             

            no ip split-horizon eigrp 10

             

            ip summary-address eigrp 10 10.72.0.0 255.255.0.0 5

             

            delay 1000

             

            tunnel source Dialer1

             

            tunnel destination A.B.C.D

             

            tunnel key 12345

             

            tunnel path-mtu-discovery

             

            tunnel protection ipsec profile DMVPN

             

            !       

             

            interfaceFastEthernet0/0

             

            description Connection To LAN

             

            no ip address

             

            duplex auto

             

            speed auto

             

            !       

             

            interface FastEthernet0/0.2

             

            description Connecting VLAN2::DATA

             

            encapsulation dot1Q 2

             

            ip address X.X.X.1 255.255.255.0

             

            ip flow ingress

             

            ip flow egress

             

            ip nat inside

             

            ip virtual-reassembly

             

            !       

             

            interface FastEthernet0/0.3

             

            description Connecting VLAN2::VOICE

             

            encapsulation dot1Q 3

             

            ip address X.X.X.1 255.255.255.0

             

            ip flow ingress

             

            ip flow egress

             

            ip nat inside

             

            ip virtual-reassembly

             

            !       

             

            interface FastEthernet0/1

             

            description Connecting To INTERNET DMVPN

             

            no ip address

             

            duplex auto

             

            speed auto

             

            pppoe enable group global

             

            pppoe-client dial-pool-number 1

             

            !       

             

            interface Dialer1

             

            ip ddns update DynDNS

             

            ip address negotiated

             

            ip mtu 1492

             

            ip nat outside

             

            ip virtual-reassembly

             

            encapsulation ppp

             

            ip tcp adjust-mss 1300

             

            no ip mroute-cache

             

            dialer pool 1

             

            dialer idle-timeout 0

             

            dialer persistent

             

            dialer-group 1

             

            ppp authentication pap callin

             

            ppp chap refuse

             

            ppp pap sent-username xyz password 7 xyz

             

            ppp ipcp dns request

             

            !       

             

            router eigrp 10

             

            redistribute connected route-map EIGRP2**

             

            network X.Y.Z.0 0.0.0.255

             

            no auto-summary

             

            !       

             

            ip forward-protocol nd

             

            ip route 0.0.0.0 0.0.0.0 Dialer1

             

            ip route 10.0.0.0 255.0.0.0 Tunnel0 250

             

            !       

             

            ip dns server

             

            ip dns primary XYZ-ins.com soa ns.XYZ-ins.com peter@XYZ-ins.com 21600 900 7776000 86400

             

            ip flow-export version 5

             

            ip flow-top-talkers

             

            top 40 

             

            sort-by bytes

             

            cache-timeout 6000

             

            !       

             

            no ip http server

             

            ip http authentication local

             

            no ip http secure-server

             

            ip http timeout-policy idle 600 life 86400 requests 10000

             

            ip nat inside source list 10 interface Dialer1 overload

             

            !       

             

            !       

             

            ip prefix-list EIGRP2** seq 10 permit X.X.X.0/24

             

            ip prefix-list EIGRP2** seq 15 permit 10.72.0.0/16

             

            access-list 10 permit X.X.X.0 0.0.0.255

             

            access-list 10 permit X.X.X.0 0.0.0.255

             

            snmp-server community XYZ RW

             

            snmp-server community public RO

             

            snmp-server trap-source FastEthernet0/0.3

             

            snmp-server enable traps snmp authentication

             

            snmp-server enable traps tty

             

            snmp-server host X.X.X.244 XYZ  snmp

             

            !       

             

            route-map EIGRP2** permit 10

             

            match ip address prefix-list EIGRP2**

             

            !       

             

            !       

             

            !       

             

            control-plane

             

            !       

             

            gateway 

             

            timer receive-rtp 1200

             

            !       

             

            line con 0

             

            login local

             

            line XYZ 0

             

            line vty 0 4

             

            privilege level 15

             

            password 7 1511021F0725

             

            login local

             

            transport input all

             

            line vty 5 15

             

            privilege level 15

             

            password  xyz

             

            login  

             

            transport input all

             

            !       

             

            scheduler allocate 20000 1000

             

            !       

             

            end

            • 3. Re: Can't telnet router from outside
              HMR

              Hi Saleem,

               

              you are trying to telnet which interface & from where ?

              • 4. Re: Can't telnet router from outside
                Saleem

                I'm trying to telnet Dialer1

                • 5. Re: Can't telnet router from outside
                  Nuno

                  look at the ACL's which are allowing or denying entries from outside interfaces.

                   

                  access-list 10 permit X.X.X.0 0.0.0.255

                  access-list 10 permit X.X.X.0 0.0.0.255

                   

                  check if the ranges are preventing you from accessing it.

                  frankly i really wouldn't telnet from an outside network (internet) to an inside corporation even through a vpn, switch to ssh.

                   

                  NL

                  • 6. Re: Can't telnet router from outside
                    Joshua Johnson - CCNP R&S

                    Looks like you are playing with your production router... I telnet and ssh through IPsec all the time from the outisde, Nuno, AKA working from home.

                     

                    You are going to have to describe your network in its entirety for us to tell you what is going on...

                    • 7. Re: Can't telnet router from outside
                      Nuno

                      hey Josh, hows it going mate.

                      i know, call me paranoid but this is something that creates an ich on me knowing that even though my data is going through the encrypted tunnel all the data is sent in creal texted! but this is just me and my paranoid mind.

                       

                      its kinda strange people just dump semi-questions in here with no preperation or background information expecting that somehow a "cisco-wizard" will come up and "Chazam!" solve the problem.

                       

                      regards

                      • 8. Re: Can't telnet router from outside
                        HMR

                        Hi NUNO,

                         

                        The ACL 10 is being used for NAT, not for filtering....its not applied to any interface....

                        • 9. Re: Can't telnet router from outside
                          HMR

                          Hi Saleem,

                           

                          you are trying to telnet Dialer 1 interface..but i doesn't have static IP configured..I think this could be a issue...

                          • 10. Re: Can't telnet router from outside
                            Saleem

                            I've around 14 branches and all of them have dynamic IPs. Just in case of any emergency, I would telnet through them. HMR is right. ACL is being used for NAT. Not applied to any int.

                            • 11. Re: Can't telnet router from outside
                              malikyounas

                              Usually the issue is related to NAT where router is doing NAT for all traffic but its not the case here you are have NAT ACL which is doing NAT for specific subnets only and I hope dynamic IP address isnt covered in this range.  I would try to check ip packet debug, 'debug ip packet 10' and use acl 10 to identify your source address, it will give you an idea what router is seeing and if there is some NAT issue or routing issue

                              • 12. Re: Can't telnet router from outside
                                Nuno

                                Tell me, how are you authenticating your access, in this case telnet access? is it aaa based access? which device is authenticating? the router? if so, this is what i would have configure in the vty lines:

                                 

                                this is what you have:

                                line vty 5 15

                                privilege level 15

                                password  xyz

                                login 

                                transport input all

                                 

                                i would configure it like this:

                                 

                                line vty 0 4

                                login

                                privilege level 15

                                password xxxx

                                transport input telnet ssh (or all)

                                login local

                                !

                                line vty 5 15

                                privilege level 15

                                password  xyz

                                login 

                                transport input telnet ssh (or all)

                                login local

                                !

                                end

                                 

                                Secondly, this is what you stated: "I'm able to telnet using internal IPs but not from outside."

                                is the NAT translations allowing you to NAT from your local source? or are you just able to telnet through your ISP range?

                                I would match a statement in an ACL matching your own IP address, in case of a dynamic ip from your home ISP i would use DynDNS or in a more unsecure alternative a range of ip addresses from your home ISP, you can gather all the IP addresses which are attributed to you from your ISP, usually that doesn't change much these days.

                                 

                                ps: i might not being able to clearly see the problem here you might be more specific though, show us your network design, is there an edge firewall filtering the traffic?

                                 

                                NL

                                • 13. Re: Can't telnet router from outside
                                  Greg, CCNP, JNCIP

                                  Did you point your telnet client at a hostname, or an IP address?  Did the telnet client computer resolve the hostname to an IP address, and if so, is the resolved IP address correct (i.e. actually the IP address that got assigned to the Dialer interface)?  What happened when the telnet client tried to connect?  You got a prompt, but the router didn't accept your username/password?  You didn't get a prompt?  Did you try to ping and/or traceroute to the router? What happened w/ ping and traceroute?  Does your traceroute application support sending probes to TCP destination port 23 (telnet), and if so, what happens when you try that?  What is the source IP address being set by your telnet client in its attempts to reach the router?  Does the router you're trying to telnet into have a route back to your telnet client IP address?  Is the telnet client computer sending from a private IP address?  If private, will it be NAT-translated before the telnet connection reaches the remote router?  If so, have you proven that NAT is working?  Can the telnet client computer telnet to other outside hosts (e.g. route-server.ip.att.net)?

                                  • 14. Re: Can't telnet router from outside
                                    Saleem

                                    Actually telnet is blocked by the ISPs in UAE. I realized it when configured ssh and was able to connect via SSH.

                                    1 2 Previous Next