can not connect to Cisco 2621 router

cisco24x7 · ‎04-30-2009

My cisco 2621 is running IOS version 12.3(24) with firewall feature set. The router has 64Mb RAM and 16Mb flash.

I have a simple network with F0/0 is connected to my cable modem netowrk and F0/1 is my LAN network. I only have single Windows XP machine on the LAN side. Under normal condition, I can telnet and ssh into the router without any issues. By the way, NO ACL blocking access-list on the router whatsover.

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

ip nat inside source list 100 interface f0/0 overload

interface f0/0

ip address dhcp

ip nat outside

interface f0/1

ip address 192.168.1.1 255.255.255.0

ip nat inside

Whenever I start the bit-torrent application, I can NO longer telnet into the router. Even when I stop the bit-torrent on my Windows XP machine, I still can not telnet into the router. The only way to telnet to the router is to physically reboot the router. After that, I can telnet to the router. As soon as I enable bit-torrent application, I lost telnet access to the router.

If I replace the router with a cheap $30 vyatta router running on a PC, I have no such issue.

Anyone know why Cisco 2621 can not handle bit-torrent application? Thanks.

Richard Burts · ‎04-30-2009

David

I do not believe that the issue is bit-torrent. I believe that it is your address translation. I have seen issues where telnet to the router does not work when there is address translation that uses an extended access list with permit any. I suggest that you rewrite your address translation to use a standard access list. Perhaps something like this:

access-list 1 permit ip 192.168.1.0 0.0.0.255

ip nat inside source list 1 interface f0/0 overload

Give that a try and let me know if the behavior changes.

HTH

Rick

HTH

Rick

cisco24x7 · ‎05-01-2009

Rick,

My ACL is correct. My WindowsXP is 192.168.1.10/24 and the router is 192.168.1.1/24. If the traffic does not have to traverse the interface, NAT does not apply. Furthermore, when bit-torrent is not running, from my windows XP machine, I can ssh to 129.174.1.13 which is an IP address on the Internet. At the same time, I can telnet/ssh into the router from the XP machine via address 192.168.1.1

Not sure how you came to the conclusion that it is a address translation issue.

David

Richard Burts · ‎05-01-2009

David

I came to the conclusion that it might be a translation issue because I have seen similar symptoms before that did turn out to be translation issues.

Why is it better to use an extended access list such as:

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

instead of using a standard access list with the same source address:

access-list 1 permit 192.168.1.0 0.0.0.255

HTH

Rick

HTH

Rick

cisco24x7 · ‎05-01-2009

Rick,

I tested that same scenario on a Cisco 3845 routers and I am not seeing any issues with the same configuration when I enable bit-torrent. As soon as I put the 2621 back in place, I have issues.

The reason I use extended ACL is because on the Cisco 2621, I will be terminating VPN on this router in the future as well, for something like this:

access-list 100 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

That way, traffics between 192.168.1.0/24 and 10.0.0.0/24 will be exempted from address translation.

From my experience as a security engineer, it is almost always recommended to use extended ACL instead of standard ACL because with extended ACL, you can control both the source and destination.