Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Telnet Access

Greetings,

I am testing access lists on telnet lines and I am having a bit of an issue. I applied an access list to router 'a' and applied it to line vty 0 4. This access list limits telnet access to only one switch, another router 'b', and several laptops. The laptops can get in OK on if they go directly to router 'a', however, if they connect first to router 'b' and then try to telnet from router 'b' they get the message "access denied on router 'a' even though the Ethernet interface ip from router 'b' are both

explicitly permitted in the access list, along with the ip addresses of the laptops. There are no 'deny' statements in the access list, except the implicitly denied statement at the end.

Router 'a' and 'b' are connected together through subinterfaces on serial ports with frame relay connections.

Any ideas why the laptops cannot telnet from sessions established at router 'b'?

Any ideas?

Thanks,

Dallas

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Telnet Access

I'm thinking you have the wrong IP address for router B in A's access-list. It could also be a subnet mask vs. wildcard mask problem.

First thing to check: what IP address does router A see you telnetting in with from router B?

I am going to assume the standard access-list number you're using is 1. (It can be anything 1-99, or it can be a named access-list. I will use 1 here.)

On router A, under "line vty 0 4", remove the "access-class 1 in" command. Then, log into router A from router B. On router A, run "show users" to see the IP address A thinks you're coming from. That's the address (or subnet, depending on how you mask it) that you need in your "access-list 1 permit

" command.

If the two routers are on different LANs with different subnets, but are connected through the serial link, then the IP address on the interface closest to router A is what B will use to initiate the telnet sesion. And that nearest interface would be the serial subinterface you mentioned.

You said you used the Ethernet interface IP addresses. They would work if both routers were on the same LAN or subnet; or they would work if the LAN interfaces were along the route path between the two devices, if the LAN interfaces were on different subnets. In the event you have multiple connections between the two routers, whichever IP address you telnet to is the subnet and interface your session will go out on.

Second thing to check: do you have a correct "access-list 1 permit

" command? Look for the address or subnet that you saw above. Sometimes the address is correct, but the problem is with the which is the inverse of the subnet mask.

For example, specifying a static route to a specific host would be address 10.1.2.3 and subnet mask 255.255.255.255; in an access-list, permitting a specific host would use address 10.1.2.3 and wildcard mask 0.0.0.0.

In the case of a subnet, if you wanted to specify a static route to the 10.1.0.0 with a 16-bit subnet mask, you would use subnet mask 255.255.0.0. The corresponding access-list wildcard mask for the same subnet would be 0.0.255.255.

And in the case of a typical minimalist point-to-point subnet on a serial WAN link subinterface, if you wanted to allow access from the "whole" subnet in a single command, let's say your subnet was 10.168.212.4 with a 30-bit subnet mask (so you have subnet ID .4, two usable IP addresses .5 and .6, and subnet broadcast IP address .7), your subnet mask would be 255.255.255.252 while your wildcard mask would be 0.0.0.3.

See the pattern? First octet of the subnet mask, added to first octet of the wildcard mask, equals 255; same for the second, third, and fourth octets. If not, then something's wrong -- check your numbers again.

Last thing to do: put in the "access-list 1 permit 10.168.212.4 0.0.0.3" command on router A (or whatever address/wildcard combination you need for router B), and add the "access-class 1 in" command back to your "line vty 0 4". Try your telnet from router B to router A. It should work.

Hope this helps.

3 REPLIES
Gold

Re: Telnet Access

I'm thinking you have the wrong IP address for router B in A's access-list. It could also be a subnet mask vs. wildcard mask problem.

First thing to check: what IP address does router A see you telnetting in with from router B?

I am going to assume the standard access-list number you're using is 1. (It can be anything 1-99, or it can be a named access-list. I will use 1 here.)

On router A, under "line vty 0 4", remove the "access-class 1 in" command. Then, log into router A from router B. On router A, run "show users" to see the IP address A thinks you're coming from. That's the address (or subnet, depending on how you mask it) that you need in your "access-list 1 permit

" command.

If the two routers are on different LANs with different subnets, but are connected through the serial link, then the IP address on the interface closest to router A is what B will use to initiate the telnet sesion. And that nearest interface would be the serial subinterface you mentioned.

You said you used the Ethernet interface IP addresses. They would work if both routers were on the same LAN or subnet; or they would work if the LAN interfaces were along the route path between the two devices, if the LAN interfaces were on different subnets. In the event you have multiple connections between the two routers, whichever IP address you telnet to is the subnet and interface your session will go out on.

Second thing to check: do you have a correct "access-list 1 permit

" command? Look for the address or subnet that you saw above. Sometimes the address is correct, but the problem is with the which is the inverse of the subnet mask.

For example, specifying a static route to a specific host would be address 10.1.2.3 and subnet mask 255.255.255.255; in an access-list, permitting a specific host would use address 10.1.2.3 and wildcard mask 0.0.0.0.

In the case of a subnet, if you wanted to specify a static route to the 10.1.0.0 with a 16-bit subnet mask, you would use subnet mask 255.255.0.0. The corresponding access-list wildcard mask for the same subnet would be 0.0.255.255.

And in the case of a typical minimalist point-to-point subnet on a serial WAN link subinterface, if you wanted to allow access from the "whole" subnet in a single command, let's say your subnet was 10.168.212.4 with a 30-bit subnet mask (so you have subnet ID .4, two usable IP addresses .5 and .6, and subnet broadcast IP address .7), your subnet mask would be 255.255.255.252 while your wildcard mask would be 0.0.0.3.

See the pattern? First octet of the subnet mask, added to first octet of the wildcard mask, equals 255; same for the second, third, and fourth octets. If not, then something's wrong -- check your numbers again.

Last thing to do: put in the "access-list 1 permit 10.168.212.4 0.0.0.3" command on router A (or whatever address/wildcard combination you need for router B), and add the "access-class 1 in" command back to your "line vty 0 4". Try your telnet from router B to router A. It should work.

Hope this helps.

New Member

Re: Telnet Access

Thank you very much, I will play around with it a bit more and let you know if this becomes my solution.

Dallas

New Member

Re: Telnet Access

Good day konigl,

I just wanted to let you know that it was an incorrect ip given to be for router b's interface. Thanks for all of your help.

Dallas

99
Views
0
Helpful
3
Replies
CreatePlease login to create content