Solved

How to enable telnet access on external NAT interface

Posted on 2008-06-09
10
2,221 Views
Last Modified: 2008-06-13
I have a 2811 router than needs telnet access enabled to an external facing interface from anywhere (it has a public IP).  I can't get to it even with the ACL wide open blocking nothing on that interface.   The interface is setup as a NAT outside interface and is NATing Ips with 10.100.100.x addresses, which works fine.  I can telnet into the router from anywhere on the LAN without issues just not from the outside.  

I do realize SSH is the way to go for this but I have a client that wants to use telnet :(

Am I missing somthing in the config?
0
Comment
Question by:kenhen99
10 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21745881
Do you have an access-list bound to the VTY lines?
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 21745901
Not familiar with the router model, but essentially what you need to do is to open port 23 incoming on the external (public) interface.  I hope you can secure the router with a user name and password required for telnetting because otherwise someone could easily get into your router and completely destroy your configuration.
0
 

Author Comment

by:kenhen99
ID: 21746008
JFredrick - yes, access-list are wide open on VTY lines

hypercat - yes, I have a username and password assigned
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21746028
Can you post the configuration?
0
 

Author Comment

by:kenhen99
ID: 21746245
sh run
Building configuration...

Current configuration : 3442 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname <hostname>
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable password 7 141107184D5424
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
no ip cef
no ip dhcp use vrf connected
!
!
!
ip domain name <yourdomain.com>
!
password encryption aes
username <admin user> privilege 15 secret 5 $1$Lf8u$J89S21bqUysfVKyn0a3xa.
!
!
!
interface FastEthernet0/0
 description DSL External
 ip address <public IP>
 ip accounting output-packets
 ip nat outside
 ip route-cache flow
 duplex auto
 speed auto
 glbp 10 ip <public IP>
 glbp 10 timers 5 18
 glbp 10 timers redirect 600 7200
 glbp 10 name DSL-Group
!
interface FastEthernet0/1
 description T1 EXternal
 ip address Public IP
 ip accounting output-packets
 ip nat outside
 duplex auto
 speed auto
 glbp 10 ip <Public IP>
 glbp 10 timers 5 18
 glbp 10 timers redirect 600 7200
 glbp 10 name T1-Group
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
 description Internal LAN
 switchport access vlan 100
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3

!   !
interface Vlan1
 no ip address
!
interface Vlan100
 description Internal VLAN
 ip address 10.100.100.1 255.255.255.0
 ip access-group 1 in
 ip nat inside
!
ip classless
ip route 0.0.0.0 0.0.0.0 <DSL IP Gateway> 10
ip route 0.0.0.0 0.0.0.0 <T1 IP Gateway> 10
ip flow-export version 5

!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat source route-map DSL interface FastEthernet0/0 overload
ip nat source route-map T1 interface FastEthernet0/1 overload
ip nat inside source route-map DSL interface FastEthernet0/0 overload
ip nat inside source route-map T1 interface FastEthernet0/1 overload
!
access-list 1 permit any

access-list 101 permit ip any any

route-map DSL permit 10
 match ip address 101
 match interface FastEthernet0/0
!
route-map T1 permit 10
 match ip address 101
 match interface FastEthernet0/1
!
!
control-plane
!
!
 line con 0
 password 7 141107184D5424
 login local
line aux 0
line vty 0 4
 privilege level 15
 password 7 10481C0A44471C
 login
 transport input all
line vty 5 15
 privilege level 15
 password 7 094A5B1A585519
 login
 transport input all
!
scheduler allocate 20000 1000
!
end

Router#exit
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:kenhen99
ID: 21746581
Sorry I just realized I posted an old config.. let me get the latest one and put up here..
0
 
LVL 2

Expert Comment

by:arsaif
ID: 21751229
By default routers are configured to accept telnet on port 23 from the inside. In order to get telnet access from the outside, you need to create a NAT entry for this popores.
       
Connect to the router Type the following,  Now you have outside telnet access on port 23000.

NB. This also makes your router more open for hacker attack.
enable config

ip nat inside source static tcp 192.168.1.1 23 interface dialer0 23000

Open in new window

0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 21752588
You shouldn't need a NAT statement.

Are you trying to connect to the real interface IP address or the GLBP IP address?  Not sure why you are running GLBP on the external interface. Try connecting to the real IP...

It could also be due to load balancing the default routes.  Try putting a host route to your external management PC via the T1 connection and try to telnet to the T1 interface IP address.

ip route x.x.x.x 255.255.255.255 <T1 IP Gateway>  where x.x.x.x is your external PC making the telnet connection.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21777842
This may be the cause:

Try this:

conf t
ip access-list extended 101
1 deny host <FastEthernet0/0 IP Address>
2 deny host <FastEthernet0/1 IP Address>
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21777860
Typo:

Should be:

conf t
ip access-list extended 101
1 deny ip host <FastEthernet0/0 IP Address> any
2 deny ip host <FastEthernet0/1 IP Address> any

If you don't have static IP's on the interfaces, change your access-list 101 from "permit ip any any" to only allowing the specific inside networks or the RFC 1918 space:

10.0.0.0 255.0.0.0
172.16.0.0 255.240.0.0
192.168.0.0 255.255.0.0
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now