Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Telnet stops working when Crypto comes up

I have a weird situation on some of the 857's on my VPN. When they start up I can telnet into their Dialer0 interfaces and login as per normal. However, once their crypto sessions are established telnet stops working on some of them (all my routers have same IOS. DSL firmware and have similar configs). I checked the traceroutes and what happens is that the last hop stops working, the last hop to the dialer interface. If I remove the crypto then telnet starts working immediately.

Any ideas ?

My Dialer0 interface:

interface Dialer0

ip ddns update hostname <my hostname>

ip ddns update SMS_DynDNS

ip address negotiated

ip access-group 101 out

ip mtu 1492

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer idle-timeout 0

dialer persistent

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname <my hostname>

ppp chap password 0 <my password>

ppp pap sent-username <my hostname> password 0 <my password>

ppp ipcp dns request accept

Access-list 102:

access-list 102 remark DSL IN

access-list 102 remark CCP_ACL Category=1

access-list 102 permit esp any any

access-list 102 permit gre any any

access-list 102 permit udp any any eq isakmp

access-list 102 permit udp any any eq non500-isakmp

access-list 102 permit udp any any eq 10000

access-list 102 permit tcp any any eq 10000

access-list 102 permit icmp host 196.25.1.1 any

access-list 102 permit udp any eq domain any

access-list 102 permit tcp any eq domain any

access-list 102 permit tcp any eq www any established

access-list 102 permit tcp any any eq www

access-list 102 permit tcp any eq ftp-data any

access-list 102 permit tcp any eq ftp any

access-list 102 permit tcp any eq 69 any

access-list 102 permit udp any eq tftp any

access-list 102 permit tcp any eq 443 any

access-list 102 permit tcp any eq telnet any

access-list 102 permit tcp any any eq telnet

access-list 102 permit udp any eq ntp any eq ntp

access-list 102 permit tcp any range 11000 11025 any

access-list 102 permit tcp any any eq 8000

access-list 102 deny   ip any any log

Crypto:

crypto ipsec client ezvpn SMS_VPN

connect auto

group <group details>

mode network-extension

peer <peer details>

acl 100

virtual-interface 1

username <login details>

xauth userid mode local

Thanks !

Everyone's tags (3)
12 REPLIES
Hall of Fame Super Silver

Telnet stops working when Crypto comes up

Your vpn uses acl 100. Can you post the configuration of acl 100?

HTH

Rick

New Member

Telnet stops working when Crypto comes up

The 40. IP is used for the Lan side range. The 50. IP is a local loopback on the router.

access-list 100 remark CCP_ACL Category=16

access-list 100 permit ip 40.13.8.0 0.0.0.127 192.168.0.0 0.0.255.255

access-list 100 permit ip host 50.13.8.1 192.168.0.0 0.0.255.255

Hall of Fame Super Silver

Telnet stops working when Crypto comes up

I wonder if the problem is perhaps associated with operating in network extension mode when the crypto comes up. Is there any indication of the telnet on the upstream VPN peer?

HTH

Rick

New Member

Telnet stops working when Crypto comes up

Rick, I am not entirely sure what you want me to check ...

New Member

Telnet stops working when Crypto comes up

I also have a few port forwards setup on my routers to forward some web traffic to some of the devices on the lan side of the router. I now realized that when the Telnet stops working to the routers, those port forwards also sort of stop working.

On the router(s) I do a "show ip nat translations" and I can see the port translations, but the web pages do not display anymore and times out. It looks to me like all the traffic is now begin encoded as VPN traffic and can not be interpreted by the telnet/web clients.

I am stumped here, any further ideas ?

Hall of Fame Super Silver

Telnet stops working when Crypto comes up

Perhaps it might help if you add a line at the very beginning of access list 100 that denies telnet traffic (before the other traffic is permitted). Give that a try, and if it helps then perhaps something similar might help the web traffic.

HTH

Rick

New Member

Telnet stops working when Crypto comes up

Thanks Richard, it made no difference unfortunately. I added

access-list 100 deny tcp any eq 23 any

access-list 100 deny tcp any any eq 23

As well as different versions with the 40. and 50. IP address ranges.

Hall of Fame Super Silver

Telnet stops working when Crypto comes up

I am not coming up with any good explanation based on what I am seeing. Perhaps a fresh copy of the config might give me a better idea.

HTH

Rick

New Member

Re: Telnet stops working when Crypto comes up

Attached is the template used for all my configs. The values are replaced with a script. And [sensitive info] has been removed.

New Member

Re: Telnet stops working when Crypto comes up

I made some progress, sort of ...

I added a nat entry to force telnet from Dialer0 to the Loopback0 interface:

  ip nat inside source static tcp 50.x.x.1 23 interface Dialer0 23

and now telnet is working fine. When I find a router in the telnet-not-working-state and I add the entry, the telnet over the public interface starts working immediately.

I have no idea why this would resolve the problem for telnet. I guess the difference is that the traffice is begin forwarded from outside to inside, instead of being routed from outside to inside which encrypts it ?

Anyway, that has not solved the web port forward to the lan devices connected to the router. They still do not work while the crypto is up ( ip nat inside source static tcp 40.x.x.2 80 interface Dialer0 11025 ).

I tried NATting the traffic from Dialer0->Loopback0->LanDevice : did not work.

I tried NATting the traffic from Dialer0->Loopback0->NewLoopback1(ip nat outside)->LanDevice : did not work.


Hall of Fame Super Silver

Telnet stops working when Crypto comes up

Thanks for updating us and letting us know that you have found a work around that makes it work. I am not clear why this gets it to work. I still suspect that it has something to do with network extension mode and something that the Easy VPN peer is doing or is specifying. But the important thing is that now you can get it to work.

HTH

Rick

New Member

Re: Telnet stops working when Crypto comes up

I am still struggling with the web port forwarding, but am now completely out of ideas.

Any other ideas pop to mind guys ?

621
Views
0
Helpful
12
Replies
CreatePlease login to create content