Locked out of 827 DSL router

Unanswered Question

Seem to have created an issue that ended up getting me locked out of ssh/telnet access and any inbound/outbound traffic on my router.

I was configuring my router at home 850 miles away to open up the ports for my brother to use on XBL and now we have serious issues.  I followed the advice of another post and entered the following access-list entries to open the ports.  I tested the connection and all seemed fine.  I copied running config to startup config and logged out of the router.  About 2 hours later I received a call saying that all communications are completely dead.  I cannot login using ssh or telnet to get into the router to see what is happening. 

The old ADSL modem I had there still connects so we have ruled out a WAN connectivity issue and narrowed it down to a router configuration problem.

Here are the entries I created to open the ports and which I think caused the problem.

The access list assigned to Dialer In contains the following:

access-list 101 permit tcp any any eq www

access-list 101 permit udp any any eq 88

access-list 101 permit udp any any eq 3074

access-list 101 permit tcp any any eq 3074

access-list 101 permit udp any any eq domain

access-list 101 permit tcp any any eq domain

I can't seem to find a way to get back into the router to fix this issue.  I cannot physically sit there at the router to do any changes and my brother is unable to help other than type in commands I give him.

I do not have a text copy of the current config. I will work on getting one out of him after work tomorrow unless someone can see what mistake I made and possibly let me know what I need to do to remove the offending access list so that the traffic flow is restored back to normal.  My father bought the router and runs his exchange server and dB through it so I need to get it back working as soon as I possibly can.

Thank you in advance for any assistance regarding this matter.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Reza Sharifi Mon, 05/31/2010 - 19:16

Hi Shane,

If your brother has console access to the router, have him add below lines to your access list 100:

access-list 101 permit tcp any any eq telnet or 23

access-list 101 permit tcp any any eq ssh or 22

and test again

HTH

Reza

Thanks for the suggestion.  For some reason it is still unable to restore access to telnet or ssh.  Here is a list of the ACL entries that I added which caused the problem.  They are highlighted below in red.  I am unable to see what I did wrong to create the problem or find the solution to what will restore it to a working state.  The router has been running for 2 years until 3 days ago when I added those entries and no matter what I have tried it still doesn't work.

Is this helpful to see what may work to fix or what other information would be required to aid in the process?

Shane

------------------ show access-list ------------------

Standard IP access list 1

    10 permit 192.168.0.0, wildcard bits 0.0.0.255

Standard IP access list 2

    10 permit 192.168.0.0, wildcard bits 0.0.0.255

    20 deny   any

Extended IP access list 100

    10 deny ip 6.15.3.0 0.0.0.255 any

    20 deny ip host 255.255.255.255 any

    30 deny ip 127.0.0.0 0.255.255.255 any

    40 permit ip any any (1559 matches)

Extended IP access list 101

    10 deny ip 192.169.0.0 0.0.0.255 any

    20 permit icmp any any echo-reply

    30 permit icmp any any time-exceeded

    40 permit icmp any any unreachable

    50 deny ip 10.0.0.0 0.255.255.255 any

    60 deny ip 172.16.0.0 0.15.255.255 any

    70 deny ip 192.168.0.0 0.0.255.255 any

    80 deny ip 127.0.0.0 0.255.255.255 any

    90 deny ip host 255.255.255.255 any

    100 deny ip any any

    110 permit tcp any any eq www

    120 permit udp any any eq 88

    130 permit udp any any eq 3074

    140 permit tcp any any eq 3074

    150 permit udp any any eq domain

    160 permit tcp any any eq domain

Extended IP access list 102

    10 permit udp any host 6.15.3.9 eq non500-isakmp

    20 permit udp any host 6.15.3.9 eq isakmp

    30 permit esp any host 6.15.3.9

    40 permit ahp any host 6.15.3.9

    50 deny ip 192.168.0.0 0.0.0.255 any

    60 permit icmp any host 6.15.3.9 echo-reply

    70 permit icmp any host 6.15.3.9 time-exceeded

    80 permit icmp any host 6.15.3.9 unreachable

    90 deny ip 10.0.0.0 0.255.255.255 any

    100 deny ip 172.16.0.0 0.15.255.255 any

    110 deny ip 192.168.0.0 0.0.255.255 any

    120 deny ip 127.0.0.0 0.255.255.255 any

    130 deny ip host 255.255.255.255 any

    140 deny ip host 0.0.0.0 any

    150 deny ip any any log

Extended IP access list 103

    10 permit ip 192.168.0.0 0.0.0.255 any

Extended IP access list 107

    10 permit tcp any any eq 3389

Extended IP access list 196

    10 permit ip host 192.168.100.5 host 192.168.0.160

    20 permit ip host 192.168.0.160 host 192.168.100.5

Extended IP access list 198

    10 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255

Extended IP access list 199

    10 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255

    20 permit ip 192.168.0.0 0.0.0.255 any

Jennifer Halim Wed, 06/02/2010 - 19:19

If you added the new red highlighted lines to the router, it shouldn't disallow you to telnet or ssh to the router itself since you have "deny ip any any" before all the permit statements, it wouldn't even take effect. The newly configured red access-list lines should be configured above the "deny ip any any" line.

You would need to share the whole configuration and see where the access-list is applied to be able to check further. However, if you just added the red lines, you should still be able to telnet/ssh to the router.

I added the entire config information to the attachment.  I didn't catch the placement of the deny any any statement being above the added ACL entries, forgot to consider that.  Did my entering them one at a time inadvertently mess something up?  I just read elsewhere that it can cause it to disable an entire interface which would explain a lot.  The router can be accessed from the LAN interface by his terminal and this has not affected any of the internal network other than preventing connectivity in and out of the WAN interface.

If there is something else needed information wise just let me know.  I will do my best to get it up as fast as I can.  My brother is not tech friendly at all so it is stressful trying to get  this done over sms messages/phone calls.

Shane

Jennifer Halim Thu, 06/03/2010 - 03:22

I assume that Dialer0 interface is your interface which is connected to the internet. Can you ping out to the internet from the router itself? If you can't, that would probably explain why VPN tunnels are down, and you can't telnet or ssh to the router.

There are no access-list applied to Dialer0 so it couldn't possibly block access, and there aren't any ACL applied to the vty line either. I also assume that none of the internal host can access the internet?

That's due to the following:

interface Dialer0

  ip nat inside  

It should be "ip nat outside". You should remove the ip nat inside and change it to ip nat outside:

interface Dialer0

   no ip nat inside

   ip nat outside

That is correct.  None of the internal hosts can access the internet or any other outside resource.  Each host can ping the LAN interface of the router and each other host with success. No host can ping the WAN interface address from the inside and I am unable to ping the address from the outside.  I removed the ip nat inside for Dialer0 and replaced it with ip nat outside and the problem still persists. 

Jennifer Halim Sat, 06/05/2010 - 03:13

Is your Dialer0 interface up and running? Is this the ip address allocated by your ISP: 6.15.3.9/24? what is the next hop ip address?

Pls change the route from:

ip route 0.0.0.0 0.0.0.0 Dialer0

To the actual next hop in the subnet:

ip route 0.0.0.0 0.0.0.0

Can you ping to the internet from the router itself?

Paolo Bevilacqua Sat, 06/05/2010 - 16:27

Pls change the route from:

ip route 0.0.0.0 0.0.0.0 Dialer0

To the actual next hop in the subnet:

ip route 0.0.0.0 0.0.0.0

Why ? That is incorrect. The "dialer0" version is indded the correct way, the only alternative would be "ppp ipcp route default".

OP: Please post complete config minus public addresses and paswords

Actions

This Discussion