Need Help On Allowing Telnet Access to an Interface

Author	All Replies
CiscoLearner join:2010-09-27 Broomfield, CO	Need Help On Allowing Telnet Access to an Interface Hello all, Thanks in advance to those who will help me in this topic. I have a cisco 1811W. I connect interface FastEthernet0 to my internet connected LAN with "ip address dhcp" config, and it dynamically pulls an IP address (for example 172.16.1.25) from DHCP server of my LAN, and I am to telnet to that ip address (172.16.1.25). But I need to configure that interface (Fa0) to give the LAN clients behind it to have access to internet, and as soon as I write this statement: "ip nat inside source list 100 interface fa0 overload" and hit enter, it immediately disconnects the telnet connection. The access-list 100 is very simple: access-list 100 permit ip any any access-list 100 permit tcp any any Here is the router config: R1AP#show run Building configuration... Current configuration : 6699 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1AP ! boot-start-marker boot-end-marker ! no logging buffered enable secret 5 $1$4Liq$J88hrpGbINE9jAzxeOEXs1 ! no aaa new-model ! crypto pki trustpoint TP-self-signed-1049689497 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1049689497 revocation-check none rsakeypair TP-self-signed-1049689497 ! ! ip cef no ip dhcp use vrf connected ip dhcp excluded-address 10.10.0.1 10.10.0.10 ip dhcp excluded-address 10.10.1.1 10.10.1.10 ip dhcp excluded-address 10.10.2.1 10.10.2.10 ip dhcp excluded-address 10.10.3.1 10.10.3.10 ip dhcp excluded-address 10.10.4.1 10.10.4.10 ! ip dhcp pool HOME_VLAN import all network 10.10.0.0 255.255.255.0 default-router 10.10.0.1 dns-server 4.2.2.2 ! ! ip domain name Access-Server ! ! ! username techguy privilege 15 secret 5 $1$c37E$itS/Cy2g92tXFxyd0RlT/. archive log config hidekeys ! ! ! ! ! interface FastEthernet0 description WAN$FW_OUTSIDE$ ip address dhcp ip nat outside ip virtual-reassembly no ip route-cache cef no ip route-cache duplex auto speed auto no cdp enable ! interface FastEthernet1 no ip address shutdown duplex auto speed auto ! interface FastEthernet2 description something switchport access vlan 10 spanning-tree portfast ! interface FastEthernet3 description something switchport access vlan 10 spanning-tree portfast ! interface FastEthernet4 description something switchport access vlan 10 ! interface FastEthernet5 switchport access vlan 10 spanning-tree portfast ! interface FastEthernet6 switchport access vlan 10 spanning-tree portfast ! interface FastEthernet7 switchport access vlan 10 spanning-tree portfast ! interface FastEthernet8 switchport access vlan 10 spanning-tree portfast ! interface FastEthernet9 description IP_PHONE switchport access vlan 10 spanning-tree portfast ! interface Dot11Radio0 no ip address shutdown ! encryption key 1 size 40bit 0 0360061967 transmit-key encryption mode wep mandatory ! ssid NEED-WIRELESS ! speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 b asic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 station-role root world-mode dot11d country US both bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio1 no ip address shutdown ! encryption key 1 size 40bit 0 0360061967 transmit-key encryption mode wep mandatory ! ssid NEED-WIRELESS ! speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Vlan1 no ip address ! interface Vlan10 description $FW_INSIDE$ ip address 10.10.0.1 255.255.255.0 ip nat inside ip virtual-reassembly ! interface Async1 no ip address encapsulation slip ! ! ! ip http server ip http authentication local ip http secure-server ip nat inside source list 100 interface FastEthernet0 overload ! access-list 100 permit ip any any access-list 100 permit tcp any any ! ! ! ! ! ! control-plane ! ! line con 0 line 1 modem InOut stopbits 1 speed 115200 flowcontrol hardware line aux 0 line vty 0 4 password 12345678 login local ! ! webvpn cef end Can someone help me how to configure the interface Fa0 to allow telnet from outside? Thanks again.
	to forum · permalink · 2011-05-04 01:21:29 ·

aryoba Premium,MVM join:2002-08-22 kudos:1	said by CiscoLearner: I have a cisco 1811W. I connect interface FastEthernet0 to my internet connected LAN with "ip address dhcp" config, and it dynamically pulls an IP address (for example 172.16.1.25) from DHCP server of my LAN, and I am to telnet to that ip address (172.16.1.25). But I need to configure that interface (Fa0) to give the LAN clients behind it to have access to internet, and as soon as I write this statement: "ip nat inside source list 100 interface fa0 overload" and hit enter, it immediately disconnects the telnet connection. Can someone help me how to configure the interface Fa0 to allow telnet from outside? Thanks again. First of all, I don't see anything on your router configuration that blocks telnet connectivity from anywhere. Therefore the telnet should work assuming you hit the right IP address. The disconnection problem should be normal behavior since the router had to reset NAT table.
	to forum · permalink · 2011-05-04 07:40:44 ·
CiscoLearner join:2010-09-27 Broomfield, CO	Thanks aryoba, After the disconnection I have no telnet access to that interface. I now have connected it directly to my WAN behind comcast modem. I will post the WAN IP here and if you can try it and guide me through this problem. I hope to learn something new everyday. R1AP#show ip int brief Interface IP-Address OK? Method Status Prot ocol FastEthernet0 67.177.226.229 YES DHCP up up Thanks.
	to forum · permalink · 2011-05-04 14:01:20 ·
HELLFIRE join:2009-11-25 kudos:4	reply to CiscoLearner said by CiscoLearner: "ip nat inside source list 100 interface fa0 overload" and hit enter, it immediately disconnects the telnet connection. The access-list 100 is very simple: access-list 100 permit ip any any access-list 100 permit tcp any any You're mixing up your ACLs here. ACL 100 should be used to tell the router what INTERNAL IP addresses you want to change into a public IP address, likely 10.10.0.0 0.0.255.255. AFTER you get your NAT to work, THEN you can write the inbound ACL to permit telnet in... though from a security standby, you probably want to use SSH version 2. COnfig should be (for telnet anyways) ip access-list ext MY_INBOUND_ACL permit any any eq 23 (for telnet) int fa0 ip access-group MY_INBOUND_ACL in There may be a few additional configs to do, but start with this and see if it works. Regards
	to forum · permalink · 2011-05-04 23:57:48 ·
CiscoLearner join:2010-09-27 Broomfield, CO	Thanks HELLFIRE, I did as you said to appy MY_INBOUND_ACL to int fa0: R1AP(config)#ip access-list ext MY_INBOUND_ACL R1AP(config-ext-nacl)#permit any any eq 23 ^ % Invalid input detected at '^' marker. R1AP(config-ext-nacl)#permit tcp any any eq 23 R1AP(config-ext-nacl)#exit R1AP(config)#int fa0 R1AP(config-if)#ip access-group MY_INBOUND_ACL in R1AP(config-if)#^Z R1AP#wr Then I lost internet connection: R1AP#show run int fa0 Building configuration... Current configuration : 232 bytes ! interface FastEthernet0 description WAN-TO-COMCAST ip address dhcp ip access-group MY_INBOUND_ACL in ip nat outside ip virtual-reassembly no ip route-cache cef no ip route-cache duplex auto speed auto no cdp enable end R1AP#ping 4.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) I negated that inbound ACL from interface fa0 then I have internet back. Thanks for your help HELLFIRE.
	to forum · permalink · 2011-05-05 13:13:49 ·
HELLFIRE join:2009-11-25 kudos:4	reply to CiscoLearner You'd better read over the FAQ CiscoLearner, cuz it sounds like you're trying to do an internet edge router config, but because you're missing the reflexive ACL / inspection part, it's breaking the minute you put in the inbound telnet ACL. By the way, did you fix your ACL 100 to 'permit 10.10.0.0 0.0.255.255'? This is your NAT ACL so should only be permitting based on IP ADDRESS, not tcp/ip traffic. Regards
	to forum · permalink · 2011-05-05 20:45:41 ·
ladino join:2001-02-24 USA	reply to CiscoLearner I would suggest not allowing access from you WAN, until you have become familiar with securing your router. The access list currently in place will deny DHCP, DNS & return internet traffic which you may be currently experiencing. I would suggest............ - Add ip inspection & appropriate ACL - secure your router so it is only accessible from the LAN side -Login into the router using SSH & not telnet..as mentioned by Hellfire - When pluging your router into the internet, one of the very first things you will definately need to brush up on is security...go thru the forum FAQ first »Cisco Forum FAQ
	to forum · permalink · 2011-05-05 20:50:24 ·
CiscoLearner join:2010-09-27 Broomfield, CO	Thanks HELLFIRE & ladino. I take some time to read the Cisco Forum FAQ. What HELLFIRE said probably is it, but I am so scared to edit the ACL 100. I will try it after I have read through the FAQ. Thanks again both of you.
	to forum · permalink · 2011-05-05 23:40:29 ·
HELLFIRE join:2009-11-25 kudos:4	reply to CiscoLearner config t no ip access-list 100 reload in <time> Of course, make sure you back up your configs before making this change. Regards
	to forum · permalink · 2011-05-07 00:56:11 ·
cramer join:2007-04-10 Raleigh, NC kudos:5 Reviews: ·AT&T Southeast	reply to CiscoLearner Once nat overloading is setup, all traffic to the interface is run through nat. So to connect to the outside (ip nat outside) interface, you'd have to create a static nat entry: `ip nat inside source static tcp 192.168.1.1 23 24.x.x.x 23` (for telnet) Where 192.168.1.1 is the inside (ip nat inside) address and 24.x.x.x is your outside address. ACLs will still apply, but NAT adds one more complication. Note: This depends on IOS version. Older (I mean really old) versions didn't behave this way.
	to forum · permalink · 2011-05-07 18:33:52 ·
CiscoLearner join:2010-09-27 Broomfield, CO	Thanks all for your help! I finally got it working. All I did was I followed HELLFIRE's instructions to edit the ACL 100 to "permit ip 10.10.0.0 0.0.255.255 any" instead of "permit ip any any" line. But I still could not telnet (or ssh) to the outside interface. I did some search and amazingly found tons of people having same problem as mine. Then I found a post that said to create an ACL to permit a source ip to access to the outside interface through ssh (or telnet). Basically it is like this: ip access-list ext LINE_VTY permit tcp 'source ip' any eq 22 Then apply this ACL to the VTY line: access-class LINE_VTY in It works like a charm. It's nice that I have a complete control over what source ip I want to have ssh and telnet connection to that outside interface. I hope this thread will help someone who has the same problem as I did. latino, Thank you for the link to "Cisco Forum FAQ" that has helped me a bunch. Thanks all again. Regards
	to forum · permalink · 2011-05-24 01:29:55 ·
HELLFIRE join:2009-11-25 kudos:4	reply to CiscoLearner Glad to help CiscoLearner! Enjoy playing more with your new toy. Regards
	to forum · permalink · 2011-05-25 22:43:33 ·

Equipment Support > Hardware By Brand > Cisco > Need Help On Allowing Telnet Access to an Interface