04-30-2009 04:49 PM - edited 03-04-2019 04:36 AM
My cisco 2621 is running IOS version 12.3(24) with firewall feature set. The router has 64Mb RAM and 16Mb flash.
I have a simple network with F0/0 is connected to my cable modem netowrk and F0/1 is my LAN network. I only have single Windows XP machine on the LAN side. Under normal condition, I can telnet and ssh into the router without any issues. By the way, NO ACL blocking access-list on the router whatsover.
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list 100 interface f0/0 overload
interface f0/0
ip address dhcp
ip nat outside
interface f0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
Whenever I start the bit-torrent application, I can NO longer telnet into the router. Even when I stop the bit-torrent on my Windows XP machine, I still can not telnet into the router. The only way to telnet to the router is to physically reboot the router. After that, I can telnet to the router. As soon as I enable bit-torrent application, I lost telnet access to the router.
If I replace the router with a cheap $30 vyatta router running on a PC, I have no such issue.
Anyone know why Cisco 2621 can not handle bit-torrent application? Thanks.
04-30-2009 06:19 PM
David
I do not believe that the issue is bit-torrent. I believe that it is your address translation. I have seen issues where telnet to the router does not work when there is address translation that uses an extended access list with permit any. I suggest that you rewrite your address translation to use a standard access list. Perhaps something like this:
access-list 1 permit ip 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface f0/0 overload
Give that a try and let me know if the behavior changes.
HTH
Rick
05-01-2009 04:50 AM
Rick,
My ACL is correct. My WindowsXP is 192.168.1.10/24 and the router is 192.168.1.1/24. If the traffic does not have to traverse the interface, NAT does not apply. Furthermore, when bit-torrent is not running, from my windows XP machine, I can ssh to 129.174.1.13 which is an IP address on the Internet. At the same time, I can telnet/ssh into the router from the XP machine via address 192.168.1.1
Not sure how you came to the conclusion that it is a address translation issue.
David
05-01-2009 06:59 AM
David
I came to the conclusion that it might be a translation issue because I have seen similar symptoms before that did turn out to be translation issues.
Why is it better to use an extended access list such as:
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
instead of using a standard access list with the same source address:
access-list 1 permit 192.168.1.0 0.0.0.255
HTH
Rick
05-01-2009 07:13 AM
Rick,
I tested that same scenario on a Cisco 3845 routers and I am not seeing any issues with the same configuration when I enable bit-torrent. As soon as I put the 2621 back in place, I have issues.
The reason I use extended ACL is because on the Cisco 2621, I will be terminating VPN on this router in the future as well, for something like this:
access-list 100 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
That way, traffics between 192.168.1.0/24 and 10.0.0.0/24 will be exempted from address translation.
From my experience as a security engineer, it is almost always recommended to use extended ACL instead of standard ACL because with extended ACL, you can control both the source and destination.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: