Remote Telnet Issues

Unanswered Question

I'm honestly embarassed asking this question but for the life of me I've been unable to resolve the issue. ICMP makes it to ingress but telnet fails from remote subnets. There is another router in front of this device on the same subnet as the ingress, with no ACL's, and this device has no problems with telnet. Anything coming from the internet cannot get a login prompt.


!

interface FastEthernet0/0

ip address x.x.x.37 255.255.255.248

duplex auto

speed auto

!

!

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.33

!

line vty 0 4

password cisco

login

!


I've also tried adding "transport input telnet", but that did not correct my problem.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Additional information;


c1841#sho ver

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(3g), RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2006 by Cisco Systems, Inc.

Compiled Mon 06-Nov-06 01:09 by alnguyen


ROM: System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)


c1841 uptime is 1 hour, 59 minutes

System returned to ROM by reload at 17:35:25 UTC Fri Sep 19 2008

System image file is "flash:c1841-advsecurityk9-mz.124-3g.bin"

.

.

Cisco 1841 (revision 6.0) with 234496K/27648K bytes of memory.

Processor board ID FTX1108Z2HN

6 FastEthernet interfaces

1 Virtual Private Network (VPN) Module

DRAM configuration is 64 bits wide with parity disabled.

191K bytes of NVRAM.

62720K bytes of ATA CompactFlash (Read/Write)


Configuration register is 0x2102


c1841#sho inv

NAME: "1841 chassis", DESCR: "1841 chassis, Hw Serial#: xxxxxxx, Hw Revision: 6.0"

PID: CISCO1841 , VID: V04 , SN: xxxxxxx


NAME: "C1841 Motherboard with 2 Fast Ethernet", DESCR: "C1841 Motherboard with 2 Fast Ethernet"

PID: CISCO1841 , VID: 6.0, SN: xxxxxxx


NAME: "WIC/HWIC 0", DESCR: "4 Port FE Switch"

PID: HWIC-4ESW , VID: V01 , SN: xxxxxxx

Richard Burts Fri, 09/19/2008 - 14:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


There is not anything in what you have posted that would show us why remote telnet does not work. But I do not think that you have shown us enough for us to be able to say that it is not something in the router config. Perhaps you can show us more of the router configuration?


When you mention that no one from the internet can telnet it makes me wonder if someone remote from the router (but inside your network) is able to telnet, and to wonder if there is some issue with address translation that might be impacting telnet. Are you doing address translation? Can you show us exactly what is configured for address translation?


HTH


Rick



Hi Rick,


Thanks for taking a look at this.


As requested, I've attached the current running config. Interface fa0/0 is the egress port and the /29 configured on it is public. Currently there is no network address translations happening.


With regards to you inquiry about external vs internal telnets, yes, I can telnet to fa0/0 locally from the 1841's gateway. There are no filters blocking telnet to the .37 IP address.



Richard Burts Mon, 09/22/2008 - 08:38
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


Thank you for posting the config. I have looked through it (and it is certianly minimally configured) and do not see anything in its configuration that would prevent telnet.


I believe that I am understanding your posts correctly that you can successfully ping this router address from remote addresses, so there is not an issue of IP accessibility (routing etc is working). If anything remote can not get a telnet prompt then I must believe that something is filtering out the telnet packets. A good way to check this would be to run debug telnet and then attempt telnet from a remote source. I predict that the debug will not show any telnet attempt arriving at the router.


HTH


Rick

John Blakley Mon, 09/22/2008 - 08:58
User Badges:
  • Purple, 4500 points or more

I looked at your config, and I have to say that I don't see anything that would keep telnet from working either. Do you get immediately disconnected, or does it wait to timeout? You could try SSH, but you would need to generate a certificate on the device before doing that. What is this router behind: firewall, ips/ids, another router? If you have an IDS/IPS, it may be killing the connection when it sees traffic going to port 23 if not explicitly allowed.


--John

I didn't bother trying SSH since no other forwarding is working correctly. Something is wrong with the device in front of it me thinks. I can see no other explination. What I'm having problems understanding is that the Netscreen running in parallel is having no issues with .34/.35. Perhaps switching the port will resolve the situation. I won't be able to accomplish that until later this evening but will post results. Still baffles me that ICMP gets through with no challenges.

I've been working this issue on/off this morning but have the same results. The configuration has been enhanced to allow local connectivity out but I'm still having the same issues going in, unable to pat 3389:



!

interface FastEthernet0/0

ip address x.x.x.37 255.255.255.248

ip access-group 100 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

!

ip nat inside source list 10 interface FastEthernet0/0 overload

!

access-list 10 permit 192.168.2.0 0.0.0.255

access-list 100 permit tcp any host 192.168.2.2 eq 3389

access-list 100 permit icmp any any

access-list 100 permit tcp any any eq telnet

!


if I deny icmp on acl 100, my pings stop, which confirms that L3 is routing correctly. No counters show up when attempting to telnet externally but if I try and telnet from the device directly connected to the 1841 counters do increase:


c1841#sho access-lists

Standard IP access list 10

10 permit 192.168.2.0, wildcard bits 0.0.0.255

Extended IP access list 100

10 permit tcp any host 192.168.2.2 eq 3389

20 permit icmp any any (356 matches)

30 permit tcp any any eq telnet (15 matches)


Even though I'm 100% confident there are no filters configured on that block, it's obviously being blocked for some reason that I'm unable to confirm.

John Blakley Mon, 09/22/2008 - 10:57
User Badges:
  • Purple, 4500 points or more

What does the configuration look like for your internal interface? The one that you have ip nat inside applied to?

I'm using a BVI for the HWIC-4ESW. Here's the commands to make that work but I would not think they should have an affect on an external telnet prompt:


!

!

bridge irb

!

!

!

interface Vlan1

no ip address

ip virtual-reassembly

bridge-group 1

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 192.168.2.1 255.255.255.248

ip nat inside

ip virtual-reassembly

!

!

bridge 1 route ip

!

John Blakley Mon, 09/22/2008 - 11:13
User Badges:
  • Purple, 4500 points or more

You said that the Netscreen beside it doesn't have a problem with .34/.35? You can also ping the device? What is this device's f0/0 connected to? Did you say that you CAN telnet from a 192.168.2.x address?


John

I noticed you have the IP NAT outside statement on your outside interface. Can you provide the rest of the NAT config including its ACL. The NAT ACL has to be precise, otherwise what happens when you try telnetting from the outside the packets come in, then translate going back out & will never reach the source of the telnet.

The problem happens even when the config is at it's most basic levels and before I have the LAN segment configured.


Here's the information that you requested though:


!

interface FastEthernet0/0

ip address x.x.x.37 255.255.255.248

ip access-group 100 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

!

interface Vlan1

no ip address

ip virtual-reassembly

bridge-group 1

bridge-group 1 spanning-disabled

!

!

interface BVI1

ip address 192.168.2.1 255.255.255.248

ip nat inside

ip virtual-reassembly

!

!

ip nat inside source list 10 interface FastEthernet0/0 overload

!

access-list 10 permit 192.168.2.0 0.0.0.255

access-list 100 permit tcp any host 192.168.2.2 eq 3389

access-list 100 permit icmp any any

access-list 100 permit tcp any any eq telnet

!

Actions

This Discussion