Solved

telnet to cisco 800 series refused

Posted on 2010-08-18
7
810 Views
Last Modified: 2012-05-10
hi all,

im trying to telnet to my router ( locally) but im getting refused.

here is my config


Building configuration...



Current configuration : 8981 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname airport

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 $1$TP.u$eVGh8rHFQdC8BrO.4LRex1

enable password T@ur15m

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-3005635415

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-3005635415

 revocation-check none

 rsakeypair TP-self-signed-3005635415

!

!

crypto pki certificate chain TP-self-signed-3005635415

 certificate self-signed 01

  30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33303035 36333534 3135301E 170D3032 30333031 30313139

  30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30303536

  33353431 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B1FC DAC316EC F6BFEC9F A0519D21 A4712918 CCCF9C7A A033B6D1 E36A8F9F

  348E2C48 C452678B A43E0CE6 5DF6D157 A3EF7E8F 6FD51B31 08A4A9DC 3DF75DD4

  63411709 3A860AD1 B77E12EF F3AE111C 797BBCFD F466E774 3DD25C73 A462BF45

  09CDB483 EEF592E6 4CA9E283 86410956 9D862A9C 1E01C73E 16A9A8CE 4B2AF5A6

  A8230203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603

  551D1104 1C301A82 18616972 706F7274 6E7A2E79 6F757264 6F6D6169 6E2E636F

  6D301F06 03551D23 04183016 80144CAB 397AC4CC EA6B88A3 D4F738EF 7EE1777B

  6218301D 0603551D 0E041604 144CAB39 7AC4CCEA 6B88A3D4 F738EF7E E1777B62

  18300D06 092A8648 86F70D01 01040500 03818100 4339F3AD 5C207D80 5A5D758E

  AE0A0CB9 6845C7E2 4B5B572A 2CE99AF3 1D160277 BF92120A 48551F2F 4388B5EC

  A1DCA101 D4A59C93 4734E6C5 1D6524A3 667AC058 09D9B62F C585356A 35742971

  83825450 265470AF 3930889C 426E9F9D 5B1BE06D E1F85880 4D632455 59B6F64C

  03DA3C7D F39D0D06 C60B71BD 3267732E CAAC6C32

        quit

dot11 syslog

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool ccp-pool

   import all

   network 10.10.10.0 255.255.255.248

   default-router 10.10.10.1

   lease 0 2

!

!

ip inspect tcp synwait-time 300

ip inspect tcp max-incomplete host 200 block-time 3

ip inspect name CBACFilter tcp timeout 300

ip inspect name CBACFilter udp timeout 300

ip inspect name CBACFilter http java-list 51 timeout 3600

ip inspect name CBACFilter cuseeme

ip inspect name CBACFilter ftp

ip inspect name CBACFilter h323

ip inspect name CBACFilter realaudio

ip inspect name CBACFilter smtp

ip inspect name CBACFilter icmp alert on audit-trail on

ip inspect name FIRE-IN tcp timeout 300

ip inspect name FIRE-IN udp timeout 300

no ip bootp server

no ip domain lookup

ip domain name yourdomain.com

ip name-server 202.27.x.x

ip name-server 202.27.x.x

!

!

!

username myusername privilege 15 secret 5 $1$YzNp$WIB2WP/.xtqZw9f/4C/UA1

username admin privilege 15 secret 5 $1$aZTy$QOqCHsSkXtgUAvXN4DkSy.

!

!

crypto isakmp policy 11

 hash md5

 authentication pre-share

crypto isakmp key ******* address 203.97.x.x

crypto isakmp identity hostname

!

!

crypto map nolan 11 ipsec-isakmp

 set peer 203.97.x.x

 match address TAVPN

!

archive

 log config

  hidekeys

!

!

!

!

!

interface ATM0

 no ip address

 shutdown

 no atm ilmi-keepalive

 dsl operating-mode auto

 hold-queue 224 in

!

interface ATM0.1 point-to-point

 pvc 0/100

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

 !

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

 description Local LAN

 ip address 192.168.1.254 255.255.255.0

 ip access-group InternetOutbound in

 ip inspect CBACFilter out

 ip nat inside

 ip virtual-reassembly

 ip tcp adjust-mss 1360

 no ip mroute-cache

 hold-queue 100 out

!

interface Dialer0

 description ADSL connection to the Internet

 ip address negotiated previous

 ip access-group InternetInbound in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip inspect CBACFilter out

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 no ip mroute-cache

 dialer pool 1

 dialer-group 1

 no cdp enable

 ppp pap sent-username username@isp domain password 0 *******

 ppp ipcp dns accept

 crypto map nolan

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat inside source static udp 192.168.16.5 52404 interface Dialer0 52405

ip nat inside source static udp 192.168.16.6 52404 interface Dialer0 52404

ip nat inside source route-map nonat interface Dialer0 overload

!

ip access-list standard host

!

ip access-list extended InternetInbound

 permit icmp any any

 remark allowes Head office full access

 permit ip host 203.97.x.x any

 remark allowes Telnet from Head Office

 permit tcp host 203.97.x.x any eq telnet

 remark allow VNC from Head Office

 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 5900

 remark allow RDP from Head Office

 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 3389

 remark allow TELNET from Head Office

 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq telnet

 remark allowes C400 Data Gatherer

 permit tcp host 210.54.x.x any eq 52404

 remark allowes C400 Data Gatherer via UDP

 permit udp host 210.54.x.x any eq 52404

 permit tcp host 210.54.x.x any eq 52405

 permit udp host 210.54.x.x any eq 52405

ip access-list extended InternetOutbound

 permit ip any any

 permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.255.255

 permit icmp any any

 remark allowes WWW

 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq www

 remark allowes RDP

 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 3389

 remark allowes VNC

 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 5900

 remark allowes TELNET

 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq telnet

 remark allowes C400 Data Gatherer

 permit tcp host 210.54.x.x any eq 52404

 remark allowes C400 Data Gatherer via UDP

 permit udp host 210.54.x.x any eq 52404

 permit tcp host 210.54.x.x any eq 52405

 permit udp host 210.54.x.x any eq 52405

ip access-list extended TAVPN

 permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.0.255

!

logging trap debugging

access-list 1 remark Local LAN

access-list 1 permit 192.168.16.0 0.0.0.255

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 150 remark NAT bypass for VPN traffic

access-list 150 deny   ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 150 permit ip 192.168.16.0 0.0.0.255 any

dialer-list 1 protocol ip permit

snmp-server community public RO

snmp-server enable traps tty

snmp-server host 192.168.16.1 255.255.255.0

no cdp run

!

!

route-map nonat permit 10

 match ip address 150 130

!

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------



Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.



It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.



username <myuser> privilege 15 secret 0 <mypassword>



Replace <myuser> and <mypassword> with the username and password you

want to use.



-----------------------------------------------------------------------

^C

banner login ^C

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device.

This feature requires the one-time use of the username "cisco" with the

password "cisco". These default credentials have a privilege level of 15.



YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE

PUBLICLY-KNOWN CREDENTIALS



Here are the Cisco IOS commands.



username <myuser>  privilege 15 secret 0 <mypassword>

no username cisco



Replace <myuser> and <mypassword> with the username and password you want

to use.



IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL

NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.



For more information about Cisco CP please follow the instructions in the

QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp

-----------------------------------------------------------------------

^C

!

line con 0

 login local

 no modem enable

line aux 0

 stopbits 1

line vty 0 4

 access-class 23 in

 privilege level 15

 login local

 length 0

 transport input telnet

 transport output telnet ssh

!

scheduler max-task-time 5000

ntp server 218.185.224.8

end

Open in new window

0
Comment
Question by:aucklandnz
  • 4
  • 2
7 Comments
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33471999
if you are tryin to reach from 10.10.10.0 netwrok , then u dont have the proper route
add

ip route 10.10.10.0 255.255.255.0 <gw>

or if you are trying from local lan 192.168.1.0
then add

access-list 23 permit 192.168.1.0 0.0.0.255
0
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 500 total points
ID: 33472006
Hi,

The problem that you leaved default setting on vty:

line vty 0 4
 access-class 23 in

if you not need it please disable:

line vty 0 4
 no access-class 23 in

If you want higher security plase set on acl 23 where do you want reach your router!

Best regards,
Istvan

0
 
LVL 3

Author Comment

by:aucklandnz
ID: 33472013
thanks for that

it works now

I have another question but will post under different post.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 3

Author Closing Comment

by:aucklandnz
ID: 33472014
Spot on
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 33472032
opps i rewarded points to the wrong person,

it should be ikalmar

how do i change it
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33472061
u awarded to ikalmar only ..
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 33472074
damn im too tired today ( time to go home) i meant it should be  anoopkmr

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now