• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2254
  • Last Modified:

How to enable telnet access on external NAT interface

I have a 2811 router than needs telnet access enabled to an external facing interface from anywhere (it has a public IP).  I can't get to it even with the ACL wide open blocking nothing on that interface.   The interface is setup as a NAT outside interface and is NATing Ips with 10.100.100.x addresses, which works fine.  I can telnet into the router from anywhere on the LAN without issues just not from the outside.  

I do realize SSH is the way to go for this but I have a client that wants to use telnet :(

Am I missing somthing in the config?
0
kenhen99
Asked:
kenhen99
1 Solution
 
JFrederick29Commented:
Do you have an access-list bound to the VTY lines?
0
 
Hypercat (Deb)Commented:
Not familiar with the router model, but essentially what you need to do is to open port 23 incoming on the external (public) interface.  I hope you can secure the router with a user name and password required for telnetting because otherwise someone could easily get into your router and completely destroy your configuration.
0
 
kenhen99Author Commented:
JFredrick - yes, access-list are wide open on VTY lines

hypercat - yes, I have a username and password assigned
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
JFrederick29Commented:
Can you post the configuration?
0
 
kenhen99Author Commented:
sh run
Building configuration...

Current configuration : 3442 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname <hostname>
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable password 7 141107184D5424
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
no ip cef
no ip dhcp use vrf connected
!
!
!
ip domain name <yourdomain.com>
!
password encryption aes
username <admin user> privilege 15 secret 5 $1$Lf8u$J89S21bqUysfVKyn0a3xa.
!
!
!
interface FastEthernet0/0
 description DSL External
 ip address <public IP>
 ip accounting output-packets
 ip nat outside
 ip route-cache flow
 duplex auto
 speed auto
 glbp 10 ip <public IP>
 glbp 10 timers 5 18
 glbp 10 timers redirect 600 7200
 glbp 10 name DSL-Group
!
interface FastEthernet0/1
 description T1 EXternal
 ip address Public IP
 ip accounting output-packets
 ip nat outside
 duplex auto
 speed auto
 glbp 10 ip <Public IP>
 glbp 10 timers 5 18
 glbp 10 timers redirect 600 7200
 glbp 10 name T1-Group
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
 description Internal LAN
 switchport access vlan 100
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3

!   !
interface Vlan1
 no ip address
!
interface Vlan100
 description Internal VLAN
 ip address 10.100.100.1 255.255.255.0
 ip access-group 1 in
 ip nat inside
!
ip classless
ip route 0.0.0.0 0.0.0.0 <DSL IP Gateway> 10
ip route 0.0.0.0 0.0.0.0 <T1 IP Gateway> 10
ip flow-export version 5

!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat source route-map DSL interface FastEthernet0/0 overload
ip nat source route-map T1 interface FastEthernet0/1 overload
ip nat inside source route-map DSL interface FastEthernet0/0 overload
ip nat inside source route-map T1 interface FastEthernet0/1 overload
!
access-list 1 permit any

access-list 101 permit ip any any

route-map DSL permit 10
 match ip address 101
 match interface FastEthernet0/0
!
route-map T1 permit 10
 match ip address 101
 match interface FastEthernet0/1
!
!
control-plane
!
!
 line con 0
 password 7 141107184D5424
 login local
line aux 0
line vty 0 4
 privilege level 15
 password 7 10481C0A44471C
 login
 transport input all
line vty 5 15
 privilege level 15
 password 7 094A5B1A585519
 login
 transport input all
!
scheduler allocate 20000 1000
!
end

Router#exit
0
 
kenhen99Author Commented:
Sorry I just realized I posted an old config.. let me get the latest one and put up here..
0
 
arsaifCommented:
By default routers are configured to accept telnet on port 23 from the inside. In order to get telnet access from the outside, you need to create a NAT entry for this popores.
       
Connect to the router Type the following,  Now you have outside telnet access on port 23000.

NB. This also makes your router more open for hacker attack.
enable config
ip nat inside source static tcp 192.168.1.1 23 interface dialer0 23000

Open in new window

0
 
JFrederick29Commented:
You shouldn't need a NAT statement.

Are you trying to connect to the real interface IP address or the GLBP IP address?  Not sure why you are running GLBP on the external interface. Try connecting to the real IP...

It could also be due to load balancing the default routes.  Try putting a host route to your external management PC via the T1 connection and try to telnet to the T1 interface IP address.

ip route x.x.x.x 255.255.255.255 <T1 IP Gateway>  where x.x.x.x is your external PC making the telnet connection.
0
 
JFrederick29Commented:
This may be the cause:

Try this:

conf t
ip access-list extended 101
1 deny host <FastEthernet0/0 IP Address>
2 deny host <FastEthernet0/1 IP Address>
0
 
JFrederick29Commented:
Typo:

Should be:

conf t
ip access-list extended 101
1 deny ip host <FastEthernet0/0 IP Address> any
2 deny ip host <FastEthernet0/1 IP Address> any

If you don't have static IP's on the interfaces, change your access-list 101 from "permit ip any any" to only allowing the specific inside networks or the RFC 1918 space:

10.0.0.0 255.0.0.0
172.16.0.0 255.240.0.0
192.168.0.0 255.255.0.0
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now