Solved

How to enable Telnet

Posted on 2008-06-11
8
844 Views
Last Modified: 2012-05-05
Ok this is going to be really simple to answer, so it should be 500 easy points.

I have a Cisco 1720 with a WIC-1ADSL.

For as long as I can remember I have tried to find out how to do this and just have not been able to work it out.

How do I enable telnet to the cisco box on the IP Address assigned to the WIC Card by my ISP?

My ISP assigns the IP Address to my Cisco, I use interface dialer 0.

Once the IP Address is assigned I can not telnet to my router from the Internet, it just does not work, I know the packet is arriving because I can see it on the access lists!!  But the connection does not work, the Cisco just drops it.

I am also unable to telnet from the Internal Ethernet Network to the IP address assigned by my provider.

Thanks.

-Rowan


0
Comment
Question by:rowansmith
  • 5
  • 2
8 Comments
 
LVL 23

Assisted Solution

by:that1guy15
that1guy15 earned 500 total points
ID: 21764341
Make sure your ACL allows telnet through and then console into the router and enter these commands

config t
line vty 0 4
password cisco (what ever password you want)
login
exit

This will enable telnet access from any interface on the router.
0
 
LVL 11

Author Comment

by:rowansmith
ID: 21764448
Already have that I can telnet from my internal ethernet network, but not from the internet side.  Have never been able to.

I know this because I once went through the effort of making sure that my Router was not accessible from the Internet and that I had the right access lists in place to prevent this, I discovered that even with NO access lists, I am unable to Telnet to the ADSL interface.  So if I remove all the CBAC and all the ACLs (except the one for the dialer :-) ) It still dosn't work.

I don't really want Telnet to work - I just want to understand why it is not working because at the moment the router's external interface is secured from telnet access via some default means that i do not understand.

By the way, my SSH dosn't work either - this I do want to get to work.

Here is the config:

Current configuration : 3137 bytes
!
! Last configuration change at 15:46:40 UTC Fri Nov 9 2007
! NVRAM config last updated at 15:46:42 UTC Fri Nov 9 2007
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname c1720
!
boot-start-marker
boot-end-marker
!
logging buffered 8192 debugging
logging console errors
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa session-id common
ip subnet-zero
!
!
ip domain name home.smith.gen.nz
ip name-server XXXXXXXXXX
ip name-server XXXXXXXXXX
ip dhcp excluded-address 192.168.1.1 192.168.1.63
ip dhcp excluded-address 192.168.1.250 192.168.1.255
!
ip dhcp pool Home-Pool
   network 192.168.1.0 255.255.255.0
   domain-name home.XXXXXXXXX
   default-router 192.168.1.1
   dns-server XXXXXXXXXXXX XXXXXXXXXX
   update arp
!
no ip bootp server
ip cef
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw ftp
ip audit po max-events 100
!
!
username admin password 0 XXXXXXX
!
!
ip ssh authentication-retries 2
!
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Ethernet0
 no ip address
 shutdown
 full-duplex
!
interface FastEthernet0
 ip address 192.168.1.1 255.255.255.0
 ip access-group INT-In in
 ip nat inside
 ip inspect myfw in
 speed auto
!
interface Dialer0
 ip address negotiated
 ip access-group EXT-In in
 no ip redirects
 no ip unreachables
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp pap sent-username XXXXXXXXXXXX password 0 XXXXXXXXXXXXXX
 ppp ipcp dns request
!
ip nat inside source list 1 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.2.0 255.255.255.0 192.168.1.74
no ip http server
no ip http secure-server
!
!
!
ip access-list extended EXT-In
 permit tcp any any eq 22 log
 permit tcp any any eq telnet log
 deny   tcp any any eq 29947
 deny   udp any any eq 29947
 deny   ip any any log
ip access-list extended INT-In
 permit ip any host 192.168.1.1
 permit ip any host 255.255.255.255
 deny   ip any host 192.168.1.255
 deny   ip any 10.0.0.0 0.255.255.255 log
 deny   ip any 172.16.0.0 0.15.255.255 log
 deny   ip any 192.168.0.0 0.0.255.255 log
 deny   ip any 169.254.0.0 0.0.255.255 log
 permit icmp any any
 permit udp any any eq domain
 permit tcp any any eq domain
 permit tcp any any eq 22
 permit tcp any any eq www
 permit tcp any any eq 443
 permit tcp any any eq ftp
 permit ip any host 203.144.35.129
 permit ip any host 203.144.32.4
 permit ip any host 203.144.32.10
 permit tcp host 192.168.1.64 any
 permit udp host 192.168.1.64 any
 deny   ip any any log
logging history informational
logging 192.168.1.68
access-list 1 permit any
dialer-list 1 protocol ip permit
no cdp run
!
snmp-server community XXXXXX RO
snmp-server enable traps tty
!
!
line con 0
line aux 0
line vty 0 4
 password XXXXXXXX
!
end
0
 
LVL 23

Expert Comment

by:that1guy15
ID: 21764756
The only thing i see missing from you config is the login command under your vty interface.

If you are trying to get SSH set up on your router it looks like you only need to set it up under the VTY interface and allow it in the ACl.

Here is a good link that will explain how to configure SSH all the way through in case i looked over something in you config.

http://articles.techrepublic.com.com/5100-10878_11-5875046.html
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 11

Author Comment

by:rowansmith
ID: 21764796
I have tried adding the login command as well, after I saw it in your post.  I actually can not add just "login" it is not an option but I added the following two commands:

aaa authentication login default local
login authentication default

If I add the "login authentication default" to the line it just disappears from teh config anyway - so I guess it is implied anyway.

below is the Cisco output for the line vty 0 4 ....

c1720(config)#line vty 0 4
c1720(config-line)#login ?
  authentication  Authentication parameters.
  ctrlc-disable   Disable CONTROL-C during login.

c1720(config-line)#login auth
c1720(config-line)#login authentication ?
  WORD     Use an authentication list with this name.
  default  Use the default authentication list.

c1720(config-line)#login authentication defa
c1720(config-line)#login authentication default ?
  <cr>

c1720(config-line)#login authentication default
c1720(config-line)#^Z
0
 
LVL 11

Author Comment

by:rowansmith
ID: 21764843
I am not trying to fix SSH in this question, but interestingly SSH works fine from the internal network, again it does not work from the Internet... smae symptoms as Telnet.
0
 
LVL 11

Accepted Solution

by:
rowansmith earned 0 total points
ID: 21764897
Wow... i just found another post at: http://www.loeppenthien.dk/Network_IOS.asp#Hint2

Says I need to create a NAT rule - so I did....

ip nat inside source static tcp 192.168.1.1 22 interface Dialer0 22
ip nat inside source static tcp 192.168.1.1 23 interface Dialer0 23

And it works - both SSH and TELNET!!!

Weird, I do not understand why I need to NAT Telnet/SSH to the internal interface, it is still like the servers are not listening on the external interface...

I am sure I am still missing something because I think I should be able to manage the router by just going straight to the outside interface....

Later I will turn off NAT and then see if I can get straight to the outside interfaces, maybe NAT overides any listening services?
0
 
LVL 11

Author Comment

by:rowansmith
ID: 21766295
Thanks!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now