cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17553
Views
0
Helpful
18
Replies

Telnet access to the CLI of my remote UC520 via Internet

mcastrigno
Level 1
Level 1

I want to access the CLI over the Internet of my UC520.

Internally I can telnet ot the CLI using Hyperterminal to the default address and port, 192.168.10.1 23

I set up a telnet password and even set up a static nat to between by static public ip and the above address:port. But still no luck.

What am I missing?

!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.10.1 23 interface FastEthernet0/0 23
!

Thanks!

1 Accepted Solution

Accepted Solutions

I see. In that case, what you need to do is edit the Access List on the WAN interface to allow for Telnet inbound. Typically this access list is 104.

Do the following:

1) show run int fast 0/0

To get the output of the configuration for the WAN interface. Identify the ACL number (ip access-group XXX in)

2) Then do "show access-list XXX"

3) You will get an output with sequence numbers. This is the order in which the entries are read and the ACL enforced. You will need to insert your "permit" for telnet in the list.

4) You can put is at the top of the list with something like:

conf t

ip access-list extended XXX

5 permit tcp any any eq 23

5) Type "exit" and "wr mem" to save.

It is usually better to use SSH to connect from the WAN, it is more secure. Isn't this an option? Also, it is always a good idea to enable the VPN server on the UC500 so you can connect remotely and run CCA (that way you don't have to wait to be on site).

Thanks,

Marcos

View solution in original post

18 Replies 18

Have you tried doing this through CCA? There is an ACL on the WAN interface that needs to be modified too, and CCA autmatically configures this.

Marcos

Hello Marcos. Thanks for your reply.

Yes the CCA has a check box to configure or allow telent access. I checked that box also.

What needs to modified on the WAN interface?

What would I see for the that when I do I "show run" on the CLI?

Thanks.

I meant the port forwarding section in the Firewall tab. Try to configure the port forwarding there (but first delete that nat statement that you added). Let me know,

Marcos

Thanks Marcos.

I am not at that site until Tuesday next week but let you know how it works.

The nat I added was through CCA - I just like to check the resulting configuration with "show run" at the CLI.

Thanks!

I see. In that case, what you need to do is edit the Access List on the WAN interface to allow for Telnet inbound. Typically this access list is 104.

Do the following:

1) show run int fast 0/0

To get the output of the configuration for the WAN interface. Identify the ACL number (ip access-group XXX in)

2) Then do "show access-list XXX"

3) You will get an output with sequence numbers. This is the order in which the entries are read and the ACL enforced. You will need to insert your "permit" for telnet in the list.

4) You can put is at the top of the list with something like:

conf t

ip access-list extended XXX

5 permit tcp any any eq 23

5) Type "exit" and "wr mem" to save.

It is usually better to use SSH to connect from the WAN, it is more secure. Isn't this an option? Also, it is always a good idea to enable the VPN server on the UC500 so you can connect remotely and run CCA (that way you don't have to wait to be on site).

Thanks,

Marcos

Thanks Macros.  You answered another question I was wonder about ... accessing remotely with CCA.

I will do all this when I get on site again.

I am not all that familar with SSH. What does one need from the client side to access this way instead of telnet.

Thanks again , I will let you know how it all works out.

You can use PUTTY (just Google it). It offers a GUI based SSH client. Just enter the target IP and that's it.

Good luck,

Marcos

Marcos,

Setting ACL in the CLI for the wan port as you described worked like a champ. Thanks!

I am also trying to get a handle on what CCA can and cannot do. I cannot find in CCA where I could have accomplished the same thing.

In a prevoius reply you mention "I meant the port forwarding section in the Firewall tab." Where is the "Firewall tab" in CCA you refer to? Do you mean the dialog box you get when you select Configure->Security->Firewall and DMZ?? In here I see no "port fowarding section.

Can you help me understand the corelation between what I should see in CCA after modifying the ACL in the CLI?

Thanks

I am sorry, but I meant "Security ---> NAT" which I think is what you did. I will try to recreate locally, but this should have created a pinhole throug the WAN ACL.

Thanks,

Marcos

relionllc
Level 1
Level 1

It may be a lot easier just to VPN in and then you should be able to use CLI or CCA with that private IP.

pzimmer1230
Level 1
Level 1

I am have a very interesting issue.  I simply want to open Telnet/SSH access to the outside interface of my 520 (Fa0/0).  The interesting part of our problem is that when we completely remove the access-group 104 in policy on the outside interface it does NOT allow us to connect via telnet.  We have the same issue when we add an permit policy to the access-list 104 and apply it as an in policy on Fa0/0.  Telnet from all internal interfaces works just fine.

Is there some hidden policy applied to Fa0/0 when no access-group is explicately configured?

interface FastEthernet0/0

description $FW_OUTSIDE$

ip address 67.x.x.x 255.255.255.248

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

duplex auto

speed auto

crypto map corp

!

line vty 0 4

exec-timeout 120 0

privilege level 15

password ***********

transport preferred telnet

transport input all

transport output all

!

access-list 104 remark auto generated by SDM firewall configuration

access-list 104 remark SDM_ACL Category=1

access-list 104 permit ip any any eq telnet

access-list 104 permit udp any eq bootps any eq bootpc

access-list 104 permit icmp any any echo-reply

access-list 104 permit icmp any any time-exceeded

access-list 104 permit icmp any any unreachable

access-list 104 permit ip any any

access-list 104 deny   ip 10.1.10.0 0.0.0.3 any

access-list 104 deny   ip 192.168.10.0 0.0.0.255 any

access-list 104 deny   ip 10.1.1.0 0.0.0.255 any

access-list 104 deny   ip 10.0.0.0 0.255.255.255 any

access-list 104 deny   ip 172.16.0.0 0.15.255.255 any

access-list 104 deny   ip 192.168.0.0 0.0.255.255 any

access-list 104 deny   ip 127.0.0.0 0.255.255.255 any

access-list 104 deny   ip host 255.255.255.255 any

access-list 104 deny   ip any any

access-list 104 deny   ip 192.168.16.0 0.0.0.255 any

That's very odd. No access-list should leave it wide open for telnet. I even tried it on mine just to see. This may sound bad, but are you sure? Nobody will ever tell you this, but I ran into a few weird problems here and there and would you believe the resolution was to do a reload on the router? Don't forget to save your config first.

Also, could you clarify, you say the same happens when you add the permit policy- exactly what are you adding and where? If you're not talking about the 8th line in your ACL, I'd point out that all of your deny statements are worthless if you have that permit any any up higher like that, especially that last one, "access-list 104 deny   ip 192.168.16.0 0.0.0.255 any." And last, you don't have a permit statement for your SSH, 22.

No offense taken... I removed the 'access-group 104 in' multiple times all with the same result.  I see the packet come in on the interface when I do a debug ip packet (source address) so I know it is hitting the FA0/0 interface.  I haven't tried reboot it with the access-group removed from the interface, wonder if there is some sort of bug in 12.4(20)????

Your point about the sequence of the ACL is spot on and I appreciate the feedback.  If the reboot doesn't fix the issue I will try to figure out what is preventing the UC from processes the request through debugging (any suggestions?), worst case I'll call TAC see what they think.  Thanks for the help.

What happens if you remove the "ip inspect" command under the WAN interface? Also, is the UC500 connected to a firewall on its WAN?

Thanks,


Marcos

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: