Solved

Telnet connection problem on 2500 series

Posted on 2004-08-29
10
490 Views
Last Modified: 2009-07-29
I have a 2501 that's connected to my netgear router/switch where i have my computers using a 192.168.x.x network. I have a 2503 connected to the 2501 via a serial connection using a 172.16.x.x network. The problem that i'm having is that although i can ping the 172.16.x.x interfaces, i can't telnet to them from any of my computers (works fine from the 2501 router).

I've tried adding an extended access list, using access-list 101 permit tcp 192.168.x.0 0.0.0.255 172.16.x.0 0.0.0.255 eq 23, then ip access-group 101 in, to the serial interface on the 2501.... but oddly enough when i did that i couldn't even ping.

What am i missing?

Here are the configs i have:

Current configuration : 1629 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname 2501R
!
logging rate-limit console 10 except errors
enable secret 5 $1$GJxb$cR/kvM5feP9pXmSVHzUC/.
!
ip subnet-zero
no ip finger
ip name-server 192.168.x.x
!
no ip dhcp-client network-discovery
!
interface Ethernet0
 description AUI-ETH INT (10 BaseT)
 ip address 192.168.x.x 255.255.255.0
 ip access-group 1 in
 ip nat outside
 no ip route-cache
 no ip mroute-cache
!
interface Ethernet0.1
 no ip route-cache
 no ip mroute-cache
 shutdown
!
interface Serial0
 ip address 172.16.x.x 255.255.255.0
 ip nat inside
 no ip route-cache
 no ip mroute-cache
!
interface Serial1
 no ip address
 no ip route-cache
 no ip mroute-cache
 shutdown
!
router rip
 network 172.16.0.0
 network 192.168.0.0
 network 192.168.x.0
!
router igrp 100
 variance 2
 network 172.16.0.0
 maximum-paths 5
!
ip default-gateway 192.168.x.x
ip kerberos source-interface any
ip nat inside source list 2 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.x.x
no ip http server
!
access-list 1 permit 192.168.x.0 0.0.0.255
access-list 1 permit 172.16.x.0 0.0.0.255
access-list 2 permit 172.16.x.0 0.0.0.255
!
banner login ^C This is a Private Network. Unathorized access is Punishable by Law. ^C
!
line con 0
 exec-timeout 0 0
 logging synchronous
 transport input none
line aux 0
 transport input all
line vty 0 4
 access-class 1 in
 exec-timeout 30 0
 password 7 03095A13156G361F5C
 logging synchronous
 login
!
end



Current configuration:
!
version 11.1
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname 2503R
!
enable secret 5 $1$b/50$KJhQYTYCLiOHEIqC19VInQ/
enable password 7 186385401193705581E
!
partition flash 2 8 8
!
!
interface Ethernet0
 ip address 192.168.x.x 255.255.255.0
 ip access-group 1 in
!
interface Ethernet0.1
 arp timeout 0
 shutdown
!
interface Serial0
 ip address 172.16.x.x 255.255.255.0
 ip access-group 1 in
 clockrate 56000
 dce-terminal-timing-enable
!
interface Serial1
 no ip address
 shutdown
!
interface BRI0
 no ip address
 shutdown
!
router rip
 network 172.16.0.0
 network 192.168.0.0
 network 192.168.x.0
!
router igrp 100
 variance 2
 network 172.16.0.0
 maximum-paths 5
!
ip default-gateway 192.168.x.x
ip name-server 192.168.x.x
ip classless
logging buffered
access-list 1 permit 192.168.x.0 0.0.0.255
access-list 1 permit 172.16.x.0 0.0.0.255
banner login ^C This is a Private Network. Unathorized Access is Punishable b
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 access-class 1 in
 exec-timeout 30 0
 password 7 082G4D561949683400
 logging synchronous
 login
!
end

Any ideas?
0
Comment
Question by:PaulADavis
  • 2
  • 2
  • 2
  • +4
10 Comments
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
Since this is a private network, can you post your config with the IP addresses? Your problem may be a simple IP addressing problem but there's no way to tell without the addresses.

-Don
0
 
LVL 5

Expert Comment

by:dgroscost
Comment Utility
You might need a 'transport input telnet' and 'transport output telnet' in the configuration of line vty 0 4.

Also, if you are using an access list to block telnet to the router, use the log statement at the end of each access-list statement and with console logging (or terminal monitor), after you try to telnet in, a line will display showing if the access list denied you.
0
 
LVL 11

Expert Comment

by:PennGwyn
Comment Utility
Your access list would allow the 2503 to telnet through the 2501 -- and ONLY that.  Since that's not what you're trying to do, and it blocks everything else, it stops your ping....

> hostname 2501R
>
> interface Ethernet0
>  ip access-group 1 in
> ip nat outside
> !
> interface Ethernet0.1
  I don't think 25xx models support trunking, so this can't work.

> interface Serial0
> ip address 172.16.x.x 255.255.255.0
  RIP will advertise this as a Class B network, 172.16.0.0/16.  That might not be what you want/need.
> ip nat inside
  Why are you NATting here?
>
> router rip
>  network 172.16.0.0
>  network 192.168.0.0
  Does this router have such a network to share?
>  network 192.168.x.0
>!
> router igrp 100
>  variance 2
>  network 172.16.0.0
>  maximum-paths 5
  Huh?

> ip default-gateway 192.168.x.x
  How can this router be its own default gatewa?
> ip nat inside source list 2 interface Ethernet0 overload
  So 172.16.0.0 addresses are not directly reachable without static nat declarations.
> ip route 0.0.0.0 0.0.0.0 192.168.x.x
  You said, already, that this was the default gateway.

> access-list 1 permit 192.168.x.0 0.0.0.255
> access-list 1 permit 172.16.x.0 0.0.0.255
  Traffic from this subnet will never be seen at that interface.
> access-list 2 permit 172.16.x.0 0.0.0.255

0
 
LVL 7

Author Comment

by:PaulADavis
Comment Utility
ok .... let's clarify.....

  netgear----192.168.86.1 (computers are on 192.168.86.0 going out through netgear)
                                          |
                        2501---192.168.86.56 via eth0
                                          |
                        2503---172.16.52.2 via ser0 connected to 172.16.52.1 on 2501's ser0

This is my lab, NOT a production router! If something seems needless it's because i placed it there to practice. I realized after i place the extended access list that the implicit deny at the end of the access list was why i couldn't ping, however, i still wasn't able to telnet.

Used nat for practice (1), and (2) the netgear builtin switch doesn't support multple networks....so, something from 172.16 wouldn't be able to communicate with my computers on 192.168 .

here is a peek at the routing table at the 2501:
           
     69.0.0.0/32 is subnetted, 1 subnets
R       69.x.x.x [120/1] via 192.168.86.1, 00:00:26, Ethernet0
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.52.0 is directly connected, Serial0
C    192.168.86.0/24 is directly connected, Ethernet0
S*   0.0.0.0/0 [1/0] via 192.168.86.1

dgroscot, i've never heard of 'transport input telnet' .... could you explain some more....sounds very interesting.

donjohnston, let me know if the addresses still aren't clear

0
 
LVL 5

Expert Comment

by:dgroscost
Comment Utility
conf t
line vty 0 4
transport input telnet
transport output telnet
ctrl-z
wr mem
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 9

Expert Comment

by:Pentrix2
Comment Utility
you don't need that transport telnet stuff, you just need to do

line vty 0 4
password password
login

if i were you, i would just get rid of all your access list to see if you can even telnet to each other or even a simple ping.  then, do your access list.  whatever your dce router is, the you need the clockrate and your dte doesn't require one of course.  then get rid of your igrp and just do router rip 172.16.52.0 and 192.168.86.0

making sure connection works then you can extend your running config, this way you know at which point it's working and not working.
0
 
LVL 1

Expert Comment

by:stealth188
Comment Utility
the transport commands that are present on the line interfaces of the router tells the router what types of protocols to allow to connect.  For instance on your vty ports you have transport input telnet which will allow a telnet client, and only a telnet client to connect to the vty port.  Input is connecting to the router and output is originating a connection from a router.  Some binaries support SSH.  Many ISPs use this feature instead of telnet due to the encryption.  so if you wanted to add SSH support to your VTY line you would type "transport input ssh"  or both SSH and telnet "transport input telnet ssh".  You can even allow all protocols, but that is a security no-no.  Generally I do not allow outbound transports from my routers for security reasons.
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 500 total points
Comment Utility
The Netgear needs to have a static route added that points back to the 2501 to get to 172.16 network. Or better yet, change the default gateway of the PCs to point to the 2501 for their default gateway. The problem is that the Netgear only knows it's default route, and when a PC goes there, the Netgear tries to route the traffic out of your network entirely. If you point the PCs at the 2501, it already has a static route to the netgear for it's default route, but it's also got the route to 172.16.
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
By default, the vty ports will allow connection by any protocol supported on the router. On the 2500 with IP software, that's pretty much only telnet. Others could be X.25 PAD or other non-IP protocols. You don't need to touch it unless you are tightening security. Although I wouldn't call limiting access to telnet much of a security enhancement :-)

In any case, the transport function is not related to your problem.
0
 
LVL 7

Author Comment

by:PaulADavis
Comment Utility
I can now telnet to the 172.16.52.0 network....

the combination of a static route being set and the removal of the NAT statements did the trick.

I did a sh ip nat trans and a sh ip nat stat while trying to telnet to the 172.16.52.0 network....I noticed that the port numbers weren't quite correct. My computer on the 192.168.86.0 network was getting a response with port # 1453. So after removing NAT I was able to establish a telnet session right away.

I will give the points to Mikebernardht because his comment "The Netgear needs to have a static route added that points back to the 2501 to get to 172.16 network" was the closest to solving the problem and was basically what i needed to do on my Netgear and on my pc's.

Thanks to all for your help and patience.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Wifi(LAN) GW being picked up 2 33
How to boost WiFi? 7 40
PORT NUMBER FOR FIOS ROUTER 5 37
How to use a IP block on cisco 877 3 23
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now