can not connect to Cisco 2621 router

Unanswered Question
Apr 30th, 2009
User Badges:
  • Silver, 250 points or more

My cisco 2621 is running IOS version 12.3(24) with firewall feature set. The router has 64Mb RAM and 16Mb flash.


I have a simple network with F0/0 is connected to my cable modem netowrk and F0/1 is my LAN network. I only have single Windows XP machine on the LAN side. Under normal condition, I can telnet and ssh into the router without any issues. By the way, NO ACL blocking access-list on the router whatsover.


access-list 100 permit ip 192.168.1.0 0.0.0.255 any

ip nat inside source list 100 interface f0/0 overload

interface f0/0

ip address dhcp

ip nat outside

interface f0/1

ip address 192.168.1.1 255.255.255.0

ip nat inside


Whenever I start the bit-torrent application, I can NO longer telnet into the router. Even when I stop the bit-torrent on my Windows XP machine, I still can not telnet into the router. The only way to telnet to the router is to physically reboot the router. After that, I can telnet to the router. As soon as I enable bit-torrent application, I lost telnet access to the router.


If I replace the router with a cheap $30 vyatta router running on a PC, I have no such issue.


Anyone know why Cisco 2621 can not handle bit-torrent application? Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Thu, 04/30/2009 - 18:19
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

David


I do not believe that the issue is bit-torrent. I believe that it is your address translation. I have seen issues where telnet to the router does not work when there is address translation that uses an extended access list with permit any. I suggest that you rewrite your address translation to use a standard access list. Perhaps something like this:

access-list 1 permit ip 192.168.1.0 0.0.0.255

ip nat inside source list 1 interface f0/0 overload


Give that a try and let me know if the behavior changes.


HTH


Rick

cisco24x7 Fri, 05/01/2009 - 04:50
User Badges:
  • Silver, 250 points or more

Rick,


My ACL is correct. My WindowsXP is 192.168.1.10/24 and the router is 192.168.1.1/24. If the traffic does not have to traverse the interface, NAT does not apply. Furthermore, when bit-torrent is not running, from my windows XP machine, I can ssh to 129.174.1.13 which is an IP address on the Internet. At the same time, I can telnet/ssh into the router from the XP machine via address 192.168.1.1


Not sure how you came to the conclusion that it is a address translation issue.


David

Richard Burts Fri, 05/01/2009 - 06:59
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

David


I came to the conclusion that it might be a translation issue because I have seen similar symptoms before that did turn out to be translation issues.


Why is it better to use an extended access list such as:

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

instead of using a standard access list with the same source address:

access-list 1 permit 192.168.1.0 0.0.0.255


HTH


Rick

cisco24x7 Fri, 05/01/2009 - 07:13
User Badges:
  • Silver, 250 points or more

Rick,


I tested that same scenario on a Cisco 3845 routers and I am not seeing any issues with the same configuration when I enable bit-torrent. As soon as I put the 2621 back in place, I have issues.


The reason I use extended ACL is because on the Cisco 2621, I will be terminating VPN on this router in the future as well, for something like this:


access-list 100 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 any


That way, traffics between 192.168.1.0/24 and 10.0.0.0/24 will be exempted from address translation.


From my experience as a security engineer, it is almost always recommended to use extended ACL instead of standard ACL because with extended ACL, you can control both the source and destination.

Actions

This Discussion