Solved: 1841 router connectivity problem

nicholash101 · ‎11-16-2006

I have an 1841 ISR at a remote location that I cannot manage remotely even though I've permitted telnet to the Internet - facing interface from my corporate site.

I can successfully ping the router from the corporate site but every time I try to telnet to it, the session times out.

At corporate I am behind a PIX 515E ver 6.3(4). The router, if memory serves, is running IOS 12.0 and has NAT enabled.

Remote connectiviy works great until I enable the NAT on the router.

Thank you.

tdrais · ‎11-17-2006

ip nat inside source static tcp 10.10.100.1 23 interface FastEthernet0/0 23

interface Loopback0

ip address 10.10.100.1 255.255.255.255

ip nat inside

This is exactly how you would map things to a inside machine. You could use the ip of the inside ethernet port but I use a loopback because if you are tring to fix a broke router the ethernet port might be down and then the nat would not work.

Now it used to work without this and this is a kinda nonstandard thing to do. I just did this on 15 1841's using port 22 (ssh).

Although its unlikely remove access list 100 and verify that it still does not work.

View solution in original post

tdrais · ‎11-16-2006

I assume you are running PAT )ie you only have a single address.

With a 1841 you more than likely have 12.4 or at least 12.3t.

First be sure you have not mapped port 23 to inside device staticly.

I think something has changed since they came out with the NVI stuff. The router always used to ignore nat on ports it listen on now something is different.

Try to put a static mapping in for port 23 to the loopback address of the router. You will need to set the loopback address as a inside nat interface

Since you have communication you can turn NAT debugging on and set the logging option to send this to a server at your location. Be careful if you have a lot of traffic on this connection you may overload your link.

nicholash101 · ‎11-17-2006

I'm a newbie with the IOS. I can get a router up and running, but that's about the extent of my knowledge. I work with PIXs more than routers.

The IOS is 12.3(8)T6.

From the router or a host on the inside network of the router, I can telnet into my workstation at the corporate site no problem.

However, any attempt to remotely manage the router from the corporate site fails, whether it be https or telnet (both of which are allowed out).

Can you clarify with some commands what you mean?

I've attached a sanitized copy of the config.

Thanks.

Wilson Samuel · ‎11-17-2006

Hi,

After going through the Config, I do see that the Internet Router is having an ACL (ACL # 100) on its WAN Side to filter the traffic coming in.

In that ACL one of the statements is:

access-list 100 deny tcp any host AAA.BBB.CCC.DDD eq telnet

Which is prohibiting anyone accessing the Router from Internet via Telnet.

Please make it permissive and I hope it should working without any issues.

Please rate if it helps.

Regards,

Wilson Samuel

tdrais · ‎11-17-2006

ip nat inside source static tcp 10.10.100.1 23 interface FastEthernet0/0 23

interface Loopback0

ip address 10.10.100.1 255.255.255.255

ip nat inside

This is exactly how you would map things to a inside machine. You could use the ip of the inside ethernet port but I use a loopback because if you are tring to fix a broke router the ethernet port might be down and then the nat would not work.

Now it used to work without this and this is a kinda nonstandard thing to do. I just did this on 15 1841's using port 22 (ssh).

Although its unlikely remove access list 100 and verify that it still does not work.

Wilson Samuel · ‎11-17-2006

Ohh I see, you wanted to connect from inside and not from the Outside of the Network.

Thanks anyways for the solutions.

Regards,

Wilson Samuel

he-wun.kim · ‎03-07-2007

Tim,

Have you found any information about the NAT behaviour? I am having a similar problem where I am unable to remotely manage a router via the internet. From the post I am assuming that once you put "ip nat outside" on an interface, the router stops listening for certain protocols. So you have to use static NAT to the router's inside addresses to make it work.