Telnet connection problem on 2500 series
I have a 2501 that's connected to my netgear router/switch where i have my computers using a 192.168.x.x network. I have a 2503 connected to the 2501 via a serial connection using a 172.16.x.x network. The problem that i'm having is that although i can ping the 172.16.x.x interfaces, i can't telnet to them from any of my computers (works fine from the 2501 router).
I've tried adding an extended access list, using access-list 101 permit tcp 192.168.x.0 0.0.0.255 172.16.x.0 0.0.0.255 eq 23, then ip access-group 101 in, to the serial interface on the 2501.... but oddly enough when i did that i couldn't even ping.
What am i missing?
Here are the configs i have:
Current configuration : 1629 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname 2501R
!
logging rate-limit console 10 except errors
enable secret 5 $1$GJxb$cR/kvM5feP9pXmSVHz
!
ip subnet-zero
no ip finger
ip name-server 192.168.x.x
!
no ip dhcp-client network-discovery
!
interface Ethernet0
description AUI-ETH INT (10 BaseT)
ip address 192.168.x.x 255.255.255.0
ip access-group 1 in
ip nat outside
no ip route-cache
no ip mroute-cache
!
interface Ethernet0.1
no ip route-cache
no ip mroute-cache
shutdown
!
interface Serial0
ip address 172.16.x.x 255.255.255.0
ip nat inside
no ip route-cache
no ip mroute-cache
!
interface Serial1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
router rip
network 172.16.0.0
network 192.168.0.0
network 192.168.x.0
!
router igrp 100
variance 2
network 172.16.0.0
maximum-paths 5
!
ip default-gateway 192.168.x.x
ip kerberos source-interface any
ip nat inside source list 2 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.x.x
no ip http server
!
access-list 1 permit 192.168.x.0 0.0.0.255
access-list 1 permit 172.16.x.0 0.0.0.255
access-list 2 permit 172.16.x.0 0.0.0.255
!
banner login ^C This is a Private Network. Unathorized access is Punishable by Law. ^C
!
line con 0
exec-timeout 0 0
logging synchronous
transport input none
line aux 0
transport input all
line vty 0 4
access-class 1 in
exec-timeout 30 0
password 7 03095A13156G361F5C
logging synchronous
login
!
end
Current configuration:
!
version 11.1
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname 2503R
!
enable secret 5 $1$b/50$KJhQYTYCLiOHEIqC19
enable password 7 186385401193705581E
!
partition flash 2 8 8
!
!
interface Ethernet0
ip address 192.168.x.x 255.255.255.0
ip access-group 1 in
!
interface Ethernet0.1
arp timeout 0
shutdown
!
interface Serial0
ip address 172.16.x.x 255.255.255.0
ip access-group 1 in
clockrate 56000
dce-terminal-timing-enable
!
interface Serial1
no ip address
shutdown
!
interface BRI0
no ip address
shutdown
!
router rip
network 172.16.0.0
network 192.168.0.0
network 192.168.x.0
!
router igrp 100
variance 2
network 172.16.0.0
maximum-paths 5
!
ip default-gateway 192.168.x.x
ip name-server 192.168.x.x
ip classless
logging buffered
access-list 1 permit 192.168.x.0 0.0.0.255
access-list 1 permit 172.16.x.0 0.0.0.255
banner login ^C This is a Private Network. Unathorized Access is Punishable b
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 30 0
password 7 082G4D561949683400
logging synchronous
login
!
end
Any ideas?
I've tried adding an extended access list, using access-list 101 permit tcp 192.168.x.0 0.0.0.255 172.16.x.0 0.0.0.255 eq 23, then ip access-group 101 in, to the serial interface on the 2501.... but oddly enough when i did that i couldn't even ping.
What am i missing?
Here are the configs i have:
Current configuration : 1629 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname 2501R
!
logging rate-limit console 10 except errors
enable secret 5 $1$GJxb$cR/kvM5feP9pXmSVHz
!
ip subnet-zero
no ip finger
ip name-server 192.168.x.x
!
no ip dhcp-client network-discovery
!
interface Ethernet0
description AUI-ETH INT (10 BaseT)
ip address 192.168.x.x 255.255.255.0
ip access-group 1 in
ip nat outside
no ip route-cache
no ip mroute-cache
!
interface Ethernet0.1
no ip route-cache
no ip mroute-cache
shutdown
!
interface Serial0
ip address 172.16.x.x 255.255.255.0
ip nat inside
no ip route-cache
no ip mroute-cache
!
interface Serial1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
router rip
network 172.16.0.0
network 192.168.0.0
network 192.168.x.0
!
router igrp 100
variance 2
network 172.16.0.0
maximum-paths 5
!
ip default-gateway 192.168.x.x
ip kerberos source-interface any
ip nat inside source list 2 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.x.x
no ip http server
!
access-list 1 permit 192.168.x.0 0.0.0.255
access-list 1 permit 172.16.x.0 0.0.0.255
access-list 2 permit 172.16.x.0 0.0.0.255
!
banner login ^C This is a Private Network. Unathorized access is Punishable by Law. ^C
!
line con 0
exec-timeout 0 0
logging synchronous
transport input none
line aux 0
transport input all
line vty 0 4
access-class 1 in
exec-timeout 30 0
password 7 03095A13156G361F5C
logging synchronous
login
!
end
Current configuration:
!
version 11.1
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname 2503R
!
enable secret 5 $1$b/50$KJhQYTYCLiOHEIqC19
enable password 7 186385401193705581E
!
partition flash 2 8 8
!
!
interface Ethernet0
ip address 192.168.x.x 255.255.255.0
ip access-group 1 in
!
interface Ethernet0.1
arp timeout 0
shutdown
!
interface Serial0
ip address 172.16.x.x 255.255.255.0
ip access-group 1 in
clockrate 56000
dce-terminal-timing-enable
!
interface Serial1
no ip address
shutdown
!
interface BRI0
no ip address
shutdown
!
router rip
network 172.16.0.0
network 192.168.0.0
network 192.168.x.0
!
router igrp 100
variance 2
network 172.16.0.0
maximum-paths 5
!
ip default-gateway 192.168.x.x
ip name-server 192.168.x.x
ip classless
logging buffered
access-list 1 permit 192.168.x.0 0.0.0.255
access-list 1 permit 172.16.x.0 0.0.0.255
banner login ^C This is a Private Network. Unathorized Access is Punishable b
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 30 0
password 7 082G4D561949683400
logging synchronous
login
!
end
Any ideas?
You might need a 'transport input telnet' and 'transport output telnet' in the configuration of line vty 0 4.
Also, if you are using an access list to block telnet to the router, use the log statement at the end of each access-list statement and with console logging (or terminal monitor), after you try to telnet in, a line will display showing if the access list denied you.
Also, if you are using an access list to block telnet to the router, use the log statement at the end of each access-list statement and with console logging (or terminal monitor), after you try to telnet in, a line will display showing if the access list denied you.
Your access list would allow the 2503 to telnet through the 2501 -- and ONLY that. Since that's not what you're trying to do, and it blocks everything else, it stops your ping....
> hostname 2501R
>
> interface Ethernet0
> ip access-group 1 in
> ip nat outside
> !
> interface Ethernet0.1
I don't think 25xx models support trunking, so this can't work.
> interface Serial0
> ip address 172.16.x.x 255.255.255.0
RIP will advertise this as a Class B network, 172.16.0.0/16. That might not be what you want/need.
> ip nat inside
Why are you NATting here?
>
> router rip
> network 172.16.0.0
> network 192.168.0.0
Does this router have such a network to share?
> network 192.168.x.0
>!
> router igrp 100
> variance 2
> network 172.16.0.0
> maximum-paths 5
Huh?
> ip default-gateway 192.168.x.x
How can this router be its own default gatewa?
> ip nat inside source list 2 interface Ethernet0 overload
So 172.16.0.0 addresses are not directly reachable without static nat declarations.
> ip route 0.0.0.0 0.0.0.0 192.168.x.x
You said, already, that this was the default gateway.
> access-list 1 permit 192.168.x.0 0.0.0.255
> access-list 1 permit 172.16.x.0 0.0.0.255
Traffic from this subnet will never be seen at that interface.
> access-list 2 permit 172.16.x.0 0.0.0.255
> hostname 2501R
>
> interface Ethernet0
> ip access-group 1 in
> ip nat outside
> !
> interface Ethernet0.1
I don't think 25xx models support trunking, so this can't work.
> interface Serial0
> ip address 172.16.x.x 255.255.255.0
RIP will advertise this as a Class B network, 172.16.0.0/16. That might not be what you want/need.
> ip nat inside
Why are you NATting here?
>
> router rip
> network 172.16.0.0
> network 192.168.0.0
Does this router have such a network to share?
> network 192.168.x.0
>!
> router igrp 100
> variance 2
> network 172.16.0.0
> maximum-paths 5
Huh?
> ip default-gateway 192.168.x.x
How can this router be its own default gatewa?
> ip nat inside source list 2 interface Ethernet0 overload
So 172.16.0.0 addresses are not directly reachable without static nat declarations.
> ip route 0.0.0.0 0.0.0.0 192.168.x.x
You said, already, that this was the default gateway.
> access-list 1 permit 192.168.x.0 0.0.0.255
> access-list 1 permit 172.16.x.0 0.0.0.255
Traffic from this subnet will never be seen at that interface.
> access-list 2 permit 172.16.x.0 0.0.0.255
ASKER
ok .... let's clarify.....
netgear----192.168.86.1 (computers are on 192.168.86.0 going out through netgear)
|
2501---192.168.86.56 via eth0
|
2503---172.16.52.2 via ser0 connected to 172.16.52.1 on 2501's ser0
This is my lab, NOT a production router! If something seems needless it's because i placed it there to practice. I realized after i place the extended access list that the implicit deny at the end of the access list was why i couldn't ping, however, i still wasn't able to telnet.
Used nat for practice (1), and (2) the netgear builtin switch doesn't support multple networks....so, something from 172.16 wouldn't be able to communicate with my computers on 192.168 .
here is a peek at the routing table at the 2501:
69.0.0.0/32 is subnetted, 1 subnets
R 69.x.x.x [120/1] via 192.168.86.1, 00:00:26, Ethernet0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.52.0 is directly connected, Serial0
C 192.168.86.0/24 is directly connected, Ethernet0
S* 0.0.0.0/0 [1/0] via 192.168.86.1
dgroscot, i've never heard of 'transport input telnet' .... could you explain some more....sounds very interesting.
donjohnston, let me know if the addresses still aren't clear
netgear----192.168.86.1 (computers are on 192.168.86.0 going out through netgear)
|
2501---192.168.86.56 via eth0
|
2503---172.16.52.2 via ser0 connected to 172.16.52.1 on 2501's ser0
This is my lab, NOT a production router! If something seems needless it's because i placed it there to practice. I realized after i place the extended access list that the implicit deny at the end of the access list was why i couldn't ping, however, i still wasn't able to telnet.
Used nat for practice (1), and (2) the netgear builtin switch doesn't support multple networks....so, something from 172.16 wouldn't be able to communicate with my computers on 192.168 .
here is a peek at the routing table at the 2501:
69.0.0.0/32 is subnetted, 1 subnets
R 69.x.x.x [120/1] via 192.168.86.1, 00:00:26, Ethernet0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.52.0 is directly connected, Serial0
C 192.168.86.0/24 is directly connected, Ethernet0
S* 0.0.0.0/0 [1/0] via 192.168.86.1
dgroscot, i've never heard of 'transport input telnet' .... could you explain some more....sounds very interesting.
donjohnston, let me know if the addresses still aren't clear
conf t
line vty 0 4
transport input telnet
transport output telnet
ctrl-z
wr mem
line vty 0 4
transport input telnet
transport output telnet
ctrl-z
wr mem
you don't need that transport telnet stuff, you just need to do
line vty 0 4
password password
login
if i were you, i would just get rid of all your access list to see if you can even telnet to each other or even a simple ping. then, do your access list. whatever your dce router is, the you need the clockrate and your dte doesn't require one of course. then get rid of your igrp and just do router rip 172.16.52.0 and 192.168.86.0
making sure connection works then you can extend your running config, this way you know at which point it's working and not working.
line vty 0 4
password password
login
if i were you, i would just get rid of all your access list to see if you can even telnet to each other or even a simple ping. then, do your access list. whatever your dce router is, the you need the clockrate and your dte doesn't require one of course. then get rid of your igrp and just do router rip 172.16.52.0 and 192.168.86.0
making sure connection works then you can extend your running config, this way you know at which point it's working and not working.
the transport commands that are present on the line interfaces of the router tells the router what types of protocols to allow to connect. For instance on your vty ports you have transport input telnet which will allow a telnet client, and only a telnet client to connect to the vty port. Input is connecting to the router and output is originating a connection from a router. Some binaries support SSH. Many ISPs use this feature instead of telnet due to the encryption. so if you wanted to add SSH support to your VTY line you would type "transport input ssh" or both SSH and telnet "transport input telnet ssh". You can even allow all protocols, but that is a security no-no. Generally I do not allow outbound transports from my routers for security reasons.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
By default, the vty ports will allow connection by any protocol supported on the router. On the 2500 with IP software, that's pretty much only telnet. Others could be X.25 PAD or other non-IP protocols. You don't need to touch it unless you are tightening security. Although I wouldn't call limiting access to telnet much of a security enhancement :-)
In any case, the transport function is not related to your problem.
In any case, the transport function is not related to your problem.
ASKER
I can now telnet to the 172.16.52.0 network....
the combination of a static route being set and the removal of the NAT statements did the trick.
I did a sh ip nat trans and a sh ip nat stat while trying to telnet to the 172.16.52.0 network....I noticed that the port numbers weren't quite correct. My computer on the 192.168.86.0 network was getting a response with port # 1453. So after removing NAT I was able to establish a telnet session right away.
I will give the points to Mikebernardht because his comment "The Netgear needs to have a static route added that points back to the 2501 to get to 172.16 network" was the closest to solving the problem and was basically what i needed to do on my Netgear and on my pc's.
Thanks to all for your help and patience.
the combination of a static route being set and the removal of the NAT statements did the trick.
I did a sh ip nat trans and a sh ip nat stat while trying to telnet to the 172.16.52.0 network....I noticed that the port numbers weren't quite correct. My computer on the 192.168.86.0 network was getting a response with port # 1453. So after removing NAT I was able to establish a telnet session right away.
I will give the points to Mikebernardht because his comment "The Netgear needs to have a static route added that points back to the 2501 to get to 172.16 network" was the closest to solving the problem and was basically what i needed to do on my Netgear and on my pc's.
Thanks to all for your help and patience.
-Don