Cisco 2821 remote login question

Unanswered Question
Feb 9th, 2009


I have configured a Cisco 2821 with a 16port FE PA plugged into slot 1. I left the VLAN1 as standard on the rotuer and gave the VLAN the network address 10.230.x.x/24 I also configured a gateway on it.

On the line vty 0 4 I took off the input telnet statement as well as the ip access class 23 in which states to only allow 10.10.x.x connections. I made sure the vty's have passwords and local login configured. I have disabled ip http server.

However my problem is I cannot telnet to the router to log in remotely.

I also noticed I cannot ping the router. Should Cisco routers not automatically allow ping unless you explicitly deny icmp in an ACL?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cpubob Mon, 02/09/2009 - 15:09

By default, the router will always response to pings. The default config for the VTY's is "transport input telnet" which is needed if you want to telnet to the box. If you've removed that, than you cannot telnet but you should still be able to ping. If you ping the router, even if the ping fails, do you see an entry in the arp cache for the routers IP? (on windows, goto cli, and type "arp -a". If the entry is all 0's and says invalid at the end, than arp is not working and you probably have a config or topology issue"). You can also check the arp cache on the router (show arp) to see if the router can arp to anything on the LAN. If it cannot, than you have something wrong with the config or your topology. If you would like more help, post the config for your interfaces and the vty lines and include any ACL's that are applied to them. Also include a basic topology map(ip addresses and the routers/switches that are in the path).



willemvwyk Mon, 02/09/2009 - 16:09

This is the weird thing that surprised me. When I was told the router has been installed the first thing I tried was to ping it, without any luck.

I checked the mac address entried from xp's cli and the router's one is not in. So I think there could be a topology problem. I was not aware of the transport input telnet, I thought if I remove that the router will allow any transport method regardless of what type it is, whereas if I specify telnet and want to connect using another method it will not allow that method.

I did not grab a copy of the config as I was hoping to do so while testing by remotely logging in. But if I cannot even ping the device and there are no ACL's denying ping, then I think there must be a bigger problem. Thanks for the help.

Richard Burts Tue, 02/10/2009 - 10:06


There are several issues that could impact the ability to telnet to the router. But if you can not ping the router then there is a bigger problem than just not being able to telnet, especially if you are sure that there is not any access list which could cause this.

Is it possible that the configuration was not saved on the router? Is it popssible that the router interfaces are in shutdown state? Is it possible that there was a keystroke error and the IP address entered was different from what you intended?

If you can not telnet and you can not ping then I believe that to find out what the problem is that you will need to access the router by its console port and investigate.

And the default is to accept multiple protocols for remote access (telnet and SSH being the most common protocols). If you configure the vty with no transport input (or transport input none) then you would have prevented any remote access. If you configure the vty with transport input telnet then you have permitted remote access only by telnet and not any other protocol.



willemvwyk Tue, 02/10/2009 - 13:10

Hi Rick

Thanks again for all the help. I did the setup of this 2821 last week, so what I did is still fresh in mind, which is great as I can compare what I did to the questions you have raised.

I did save the configuration, multiple times. Coming from a Cisco background I know what havoc can be caused when the config is not saved and the router bounces. So I am 500% sure I saved all my config changes.

The router has 2 Gig interfaces. GE0/0 is up down and GE0/1 is admin shut. This does not pose any problems as we are not yet using those interfaces.

I created a file with the router's ip addresses in. Basically we are using a 16 port FE apater which has all 16 ports in VLAN1. VLAN 1 has an ip address of 10.230.100.x and the router has a gateway to reach the 10.230.100.x router as the gateway. I have tried a few other ip's different from what I configured on the router, but with no success.

Having read the responses so far on here, I have come to realise I will have to access the router via console as there's nothing else I can do.



Leo Laohoo Wed, 02/11/2009 - 17:04

If you have another reachable router at the site, you can reverse-telnet into your problematic router (AUX to Console).

willemvwyk Wed, 02/11/2009 - 20:45


Unfortunately I do not have another router at the site :( But from the looks of it the initial reason why we wanted to deploy the router is getting more complicated, which means that I might have to go to site not only to trouble shoot the current problems but also assist with cutting the line over from Ether to FX where the FX needs to plug into the new 2821 and the current Ether is plugged into a DSL router. Fun Games! :) LOL!

Thanks anyway for all the help :-)


This Discussion