Re: 831 remote access

radu.andrei · ‎11-01-2005

hi.

can u help me...i cannot allow remote access for cisco 831.

i have configured the line vty 0 4:

login

password 7 ....

exec-timeout 0 0

transport input telnet

any idea?

thank you.

spremkumar · ‎11-01-2005

Hi

To isolate the exact reason for the accessiability problem do revert whether you are able to access the router from the local lan ?

if yes then can you revert whether any reachability issues are there from the remote location to the ip which you are trying to access ?

btw which ip address you are trying to access from the remote location.

if you are trying out for a local lan ip (ethernet ip) and if u have nat in place it wont work out for u from the remote..hope you arent trying out something inline like tht ....

regds

Richard Burts · ‎11-02-2005

In addition to the suggestions from Edwin I have a comment and suggestion. I notice that the original post has the exec timeout set to 0 which says that inactive sessions will never time out. While I sometimes do this on console connections I think it is not a good idea on vty ports. I have seen many situations where someone telneted to a device, lost the network connection, and the vty port still maintained the session. I have seen situations where telnet access did not work because all of the vty ports were busy and orphan sessions were most or all of it.

If you can get to the router at all (perhaps through the console connection) do a show user and see if the vrt ports are in an occupied state with unexpired connections. If so a clear line on the router will solve the immediate problem.

I suggest that it is better to set very long timeouts on vty if you want, but I suggest that you do not disable inactive timeout on vty ports.

HTH

Rick

HTH

Rick

Michael Stuckey · ‎11-02-2005

If I understand the question "if you do not want to have access to the 831 is correct" then I would remove the login and password from the line command. You could also create an access list and apply it to the vty's that would limit who is allowed to telnet to the router.

If you do want access and the lines are not all used what possible access lists do you have on the main interfaces that could be blocking incoming telnet connections?

Rburt is correct about the exec-timeout command. The way you have it all the vty lines could get used and also stop any further sessions to the router.

I would send us a copy of the configuration and

a copy of the show line command.

Rate the message,

Mike

raduandrei · ‎11-15-2005

so, tkx all for the ideas.

also, none of it didn't work.

here is my config:

"

15nov2005:

Building configuration...

Current configuration : 1450 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Camin

!

enable secret xxxx

!

username concept password xxxx

no aaa new-model

ip subnet-zero

!

ip cef

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

interface Ethernet0

ip address 192.168.10.1 255.255.255.0

ip nat inside

!

interface Ethernet1

ip address xx.xx.xxx.xx 255.255.255.0

ip nat outside

duplex auto

!

interface FastEthernet1

no ip address

duplex auto

speed auto

!

interface FastEthernet2

no ip address

duplex auto

speed auto

!

interface FastEthernet3

no ip address

duplex auto

speed auto

!

interface FastEthernet4

no ip address

duplex auto

speed auto

!

ip nat inside source list 101 interface Ethernet1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 xx.xx.xxx.1

ip http server

no ip http secure-server

!

access-list 101 permit ip any any

access-list 101 permit tcp any any eq telnet

access-list 110 permit tcp any any eq telnet

!

line con 0

no modem enable

line aux 0

line vty 0

exec-timeout 120 0

password xxxx

login

length 0

transport preferred telnet

transport input none

transport output none

line vty 1 4

exec-timeout 120 0

password xxxx

login

length 0

transport preferred telnet

transport input telnet

!

scheduler max-task-time 5000

!

end

"

any idea?

i can login local.

i can access web interface(only fron internal ip) - and i set up the allow telnet access.

also, i cannot telnet from outside the lan.

thank you.

spremkumar · ‎11-16-2005

Hi

From your post under line vty 0 you have disabled the incoming connections by keyin in transport input none just change the same to transport input telnet and also any specific reason attached in configuring the length to 0,we normally keep that to defau value which 24....

regds

Michael Stuckey · ‎11-16-2005

Cisco Notes:

transport input none--Issue 1

Prevents any protocol selection on the line. This makes the port unusable by incoming connections

transport output none--Issue 2

Prevents any protocol selection on the line. The system normally assumes that any unrecognized command is a host name. If the protocol is set to none, the system no longer makes that assumption. No connection will be attempted if the command is not recognized.

Comment on above.

Any settings made with the transport input or transport output commands override settings made with the transport preferred command

length 0--"Not normal but should not be an issue"

In the following example, the terminal type is specified and the screen pause function is disabled for the terminal

My concern would be does the ISP allow you access your routers HTTP port.

What I would do is swap IP addresses on the router and connect your PC to the Outside interface(That is now configured with your internal IP network address) then see if you can get to the web interface. This would at least determine if you might have an ISP blocking you from accessing the outside interface when connected correctly to the Internet.

Rate this post if it helps.

Mike