Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

1841 isr Router SDM problem

hi

i have got a 1841 isr router having SDM.i am having a strange problem, whenever i configure an accesslist on any interface it starts blocking my telnet connection from outside. i tried to apply an acl having permit ip any any on my outside interface then also it starts blocking my ssh or telnet connection.

5 REPLIES
Hall of Fame Super Silver

Re: 1841 isr Router SDM problem

That does seem unusual. Perhaps you would post the config of the router (masking any sensitive information). This might help us to figure out what is going on.

HTH

Rick

New Member

Re: 1841 isr Router SDM problem

hi

the config of the router is given below

--------------------------------------------------

sh run

Building configuration...

Current configuration : 4714 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname yourname

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret xxxx

!

no aaa new-model

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

--More-- mmi snmp-timeout 180

ip subnet-zero

ip cef

!

!

no ip dhcp use vrf connected

!

!

no ip ips deny-action ips-interface

ip domain name yourdomain.com

ip name-server 203.x.x.30

ip name-server 202.x.x.50

vpdn enable

vpdn ip udp ignore checksum

!

vpdn-group WindowsVpn

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

!

vpdn-group vpnWindows

!

--More-- !

no ftp-server write-enable

!

!

crypto pki trustpoint TP-self-signed-2572555141

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2572555141

revocation-check none

rsakeypair TP-self-signed-2572555141

!

!

crypto pki certificate chain TP-self-signed-2572555141

certificate self-signed 01

17806F5D 3656E40B A59F3BC9 4824819F 139F4DF6 757390A6

username cisco privilege 15 password xxx

!

crypto keyring WindowsVpn

pre-shared-key address 0.0.0.0 0.0.0.0 key cisco

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp keepalive 3600

no crypto isakmp ccm

crypto ipsec security-association lifetime seconds 600

!

crypto ipsec transform-set divita esp-3des esp-sha-hmac

!

crypto dynamic-map DYN_MAP 10

set transform-set divita

!

!

crypto map CRYP_MAP 6000 ipsec-isakmp dynamic DYN_MAP

!

!

!

interface Loopback0

no ip address

!

interface FastEthernet0/0

description LINT TO INTERNET

ip address 61.17.x.x.x.255.0

ip nat outside

ip virtual-reassembly

shutdown

duplex auto

interface FastEthernet0/1

description LINK TO LAN

ip address 10.129.149.80 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface Virtual-Template1

ip unnumbered Loopback0

peer default ip address pool POOL

ppp mtu adaptive

ppp authentication chap ms-chap

!

ip local pool POOL 172.16.1.2 172.16.1.254

ip classless

ip route 0.0.0.0 0.0.0.0 61.17.249.1

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat inside source list 1 interface FastEthernet0/0 overload

!

access-list 1 permit any

!

!

control-plane

!

banner login ^C

!

line con 0

login local

line aux 0

line vty 0 4

password cisco

login

transport input telnet

line vty 5 15

privilege level 15

login local

transport input none

!

warm-reboot

end

whenever i remove the nating i am able to telnet from outside and able to connect thrgh pptp. but when i put nating i cant telnet and cant connect thrgh pptp.

Hall of Fame Super Silver

Re: 1841 isr Router SDM problem

The original post indicated that the problem was that if you put an access list on an interface it blocked your telnet. This post indicates that the problem is that if you enable NAT it blocks telnet. Those are significantly different symptoms.

I see that FastEthernet0/0 is shutdown. Do you have the same symptoms when it is no shut? Since that interface is the address to which you NAT I can believe that it might be a problem if it was shutdown?

I am not sure that it is related, but I notice something else that seems not right. The virtual template interface uses ip unnumbered:

interface Virtual-Template1

ip unnumbered Loopback0

but the loopback 0 interface has no IP address.

HTH

Rick

New Member

Re: 1841 isr Router SDM problem

hi dippu

as per ur configuration there is only one mistake foudn thats with ur standard access-list just u modify that now current acls is like this acess-list 1 permit ip any u just remove this and add like this access-list 1 permit 192.168.1.0 0.0.0.255

thanku

rsreddy

New Member

Re: 1841 isr Router SDM problem

thank you sir

416
Views
0
Helpful
5
Replies