can not connect to Cisco 2621 router

Unanswered Question
Apr 30th, 2009

My cisco 2621 is running IOS version 12.3(24) with firewall feature set. The router has 64Mb RAM and 16Mb flash.

I have a simple network with F0/0 is connected to my cable modem netowrk and F0/1 is my LAN network. I only have single Windows XP machine on the LAN side. Under normal condition, I can telnet and ssh into the router without any issues. By the way, NO ACL blocking access-list on the router whatsover.

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

ip nat inside source list 100 interface f0/0 overload

interface f0/0

ip address dhcp

ip nat outside

interface f0/1

ip address 192.168.1.1 255.255.255.0

ip nat inside

Whenever I start the bit-torrent application, I can NO longer telnet into the router. Even when I stop the bit-torrent on my Windows XP machine, I still can not telnet into the router. The only way to telnet to the router is to physically reboot the router. After that, I can telnet to the router. As soon as I enable bit-torrent application, I lost telnet access to the router.

If I replace the router with a cheap $30 vyatta router running on a PC, I have no such issue.

Anyone know why Cisco 2621 can not handle bit-torrent application? Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Thu, 04/30/2009 - 18:19

David

I do not believe that the issue is bit-torrent. I believe that it is your address translation. I have seen issues where telnet to the router does not work when there is address translation that uses an extended access list with permit any. I suggest that you rewrite your address translation to use a standard access list. Perhaps something like this:

access-list 1 permit ip 192.168.1.0 0.0.0.255

ip nat inside source list 1 interface f0/0 overload

Give that a try and let me know if the behavior changes.

HTH

Rick

cisco24x7 Fri, 05/01/2009 - 04:50

Rick,

My ACL is correct. My WindowsXP is 192.168.1.10/24 and the router is 192.168.1.1/24. If the traffic does not have to traverse the interface, NAT does not apply. Furthermore, when bit-torrent is not running, from my windows XP machine, I can ssh to 129.174.1.13 which is an IP address on the Internet. At the same time, I can telnet/ssh into the router from the XP machine via address 192.168.1.1

Not sure how you came to the conclusion that it is a address translation issue.

David

Richard Burts Fri, 05/01/2009 - 06:59

David

I came to the conclusion that it might be a translation issue because I have seen similar symptoms before that did turn out to be translation issues.

Why is it better to use an extended access list such as:

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

instead of using a standard access list with the same source address:

access-list 1 permit 192.168.1.0 0.0.0.255

HTH

Rick

cisco24x7 Fri, 05/01/2009 - 07:13

Rick,

I tested that same scenario on a Cisco 3845 routers and I am not seeing any issues with the same configuration when I enable bit-torrent. As soon as I put the 2621 back in place, I have issues.

The reason I use extended ACL is because on the Cisco 2621, I will be terminating VPN on this router in the future as well, for something like this:

access-list 100 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

That way, traffics between 192.168.1.0/24 and 10.0.0.0/24 will be exempted from address translation.

From my experience as a security engineer, it is almost always recommended to use extended ACL instead of standard ACL because with extended ACL, you can control both the source and destination.

Actions

This Discussion