I have an issue with several 800 series routers.
This router was upgraded to 12.4(24)T7 and it is since this that we have started seeing the issue. It was subsequently downgraded.
Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(24)T6, RELEASE SOFTWARE (fc2)
When I turn on telnet and ssh debugging I see sessions as the arrive on the internal interface, but not externally.
TCP Packet debugging is on for address x.x.x.x, port number 2222, incoming packets
Incoming Telnet debugging is on
Incoming SSH debugging is on
As you can see, tcp debugging shows my external connection come in and I get a TCP reset back. x.x.x.x was my office public IP, y.y.y.y is the customer's router public IP.
Aug 13 11:34:39.957: tcp0: I LISTEN x.x.x.x:62614 y.y.y.y:2222 seq 2937972774
OPTS 24 SYN WIN 65535
Aug 13 11:34:39.957: TCP: sent RST to x.x.x.x:62614 from y.y.y.y:2222
It should be listening by the looks of things.
router#sh control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:22 *:0 SSH-Server LISTEN
tcp *:23 *:0 Telnet LISTEN
tcp *:23 192.168.0.240:33329 Telnet ESTABLIS
tcp *:2222 *:0 SSH-Server LISTEN
tcp *:1723 *:0 PPTP LISTEN
udp *:55724 *:0 IP SNMP LISTEN
udp *:123 *:0 NTP LISTEN
udp *:161 *:0 IP SNMP LISTEN
udp *:162 *:0 IP SNMP LISTEN
The IP y.y.y.y is negotiated with IPCP.
ip address negotiated
ip access-group 100 in
ip mtu 1492
ip inspect DEFAULT100 out
ip nat outside
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname email@example.com
ppp chap password 0 xxxxxx
router#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
y.0.0.0/32 is subnetted, 1 subnets
C y.y.y.y is directly connected, Dialer0
a.a.a.0/32 is subnetted, 1 subnets
C a.a.a.a is directly connected, Dialer0
C 192.168.0.0/24 is directly connected, Vlan1
S* 0.0.0.0/0 is directly connected, Dialer0
Access list 100 explicitly permits my office subnet, as does access list 23.
line vty 0 4
access-class 23 in
privilege level 15
transport input all
transport output all
And rotary 1 maps to 2222.
I see the same problem with telnet and ssh (on the rotary and port 22) from outside, however inside it works without a hitch. I've tried messing with the login local and access lists to no avail. I suspect that IPCP is significant in this.
'Shaun' in this thread appears to have the exact same issue.
Many thanks to anyone who takes the time to help me with this. If you need any more info please let me know.
I have identical to yours setup. All the same just no ip inspect on my routers.
Anyway, I did a workaround for that issue which works just fine. You can try that and
let me know. Idea is to create loopback interface on the router and then build a static
NAT entry from the public address to the loopback address. I did that for SSH and it
works like a charm.
Let me know if that helps.