Solved

telnet to cisco 800 series refused

Posted on 2010-08-18
7
816 Views
Last Modified: 2012-05-10
hi all,

im trying to telnet to my router ( locally) but im getting refused.

here is my config


Building configuration...

Current configuration : 8981 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname airport
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$TP.u$eVGh8rHFQdC8BrO.4LRex1
enable password T@ur15m
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3005635415
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3005635415
 revocation-check none
 rsakeypair TP-self-signed-3005635415
!
!
crypto pki certificate chain TP-self-signed-3005635415
 certificate self-signed 01
  30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33303035 36333534 3135301E 170D3032 30333031 30313139
  30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30303536
  33353431 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B1FC DAC316EC F6BFEC9F A0519D21 A4712918 CCCF9C7A A033B6D1 E36A8F9F
  348E2C48 C452678B A43E0CE6 5DF6D157 A3EF7E8F 6FD51B31 08A4A9DC 3DF75DD4
  63411709 3A860AD1 B77E12EF F3AE111C 797BBCFD F466E774 3DD25C73 A462BF45
  09CDB483 EEF592E6 4CA9E283 86410956 9D862A9C 1E01C73E 16A9A8CE 4B2AF5A6
  A8230203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
  551D1104 1C301A82 18616972 706F7274 6E7A2E79 6F757264 6F6D6169 6E2E636F
  6D301F06 03551D23 04183016 80144CAB 397AC4CC EA6B88A3 D4F738EF 7EE1777B
  6218301D 0603551D 0E041604 144CAB39 7AC4CCEA 6B88A3D4 F738EF7E E1777B62
  18300D06 092A8648 86F70D01 01040500 03818100 4339F3AD 5C207D80 5A5D758E
  AE0A0CB9 6845C7E2 4B5B572A 2CE99AF3 1D160277 BF92120A 48551F2F 4388B5EC
  A1DCA101 D4A59C93 4734E6C5 1D6524A3 667AC058 09D9B62F C585356A 35742971
  83825450 265470AF 3930889C 426E9F9D 5B1BE06D E1F85880 4D632455 59B6F64C
  03DA3C7D F39D0D06 C60B71BD 3267732E CAAC6C32
        quit
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
ip inspect tcp synwait-time 300
ip inspect tcp max-incomplete host 200 block-time 3
ip inspect name CBACFilter tcp timeout 300
ip inspect name CBACFilter udp timeout 300
ip inspect name CBACFilter http java-list 51 timeout 3600
ip inspect name CBACFilter cuseeme
ip inspect name CBACFilter ftp
ip inspect name CBACFilter h323
ip inspect name CBACFilter realaudio
ip inspect name CBACFilter smtp
ip inspect name CBACFilter icmp alert on audit-trail on
ip inspect name FIRE-IN tcp timeout 300
ip inspect name FIRE-IN udp timeout 300
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip name-server 202.27.x.x
ip name-server 202.27.x.x
!
!
!
username myusername privilege 15 secret 5 $1$YzNp$WIB2WP/.xtqZw9f/4C/UA1
username admin privilege 15 secret 5 $1$aZTy$QOqCHsSkXtgUAvXN4DkSy.
!
!
crypto isakmp policy 11
 hash md5
 authentication pre-share
crypto isakmp key ******* address 203.97.x.x
crypto isakmp identity hostname
!
!
crypto map nolan 11 ipsec-isakmp
 set peer 203.97.x.x
 match address TAVPN
!
archive
 log config
  hidekeys
!
!
!
!
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
 dsl operating-mode auto
 hold-queue 224 in
!
interface ATM0.1 point-to-point
 pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description Local LAN
 ip address 192.168.1.254 255.255.255.0
 ip access-group InternetOutbound in
 ip inspect CBACFilter out
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1360
 no ip mroute-cache
 hold-queue 100 out
!
interface Dialer0
 description ADSL connection to the Internet
 ip address negotiated previous
 ip access-group InternetInbound in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect CBACFilter out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp pap sent-username username@isp domain password 0 *******
 ppp ipcp dns accept
 crypto map nolan
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source static udp 192.168.16.5 52404 interface Dialer0 52405
ip nat inside source static udp 192.168.16.6 52404 interface Dialer0 52404
ip nat inside source route-map nonat interface Dialer0 overload
!
ip access-list standard host
!
ip access-list extended InternetInbound
 permit icmp any any
 remark allowes Head office full access
 permit ip host 203.97.x.x any
 remark allowes Telnet from Head Office
 permit tcp host 203.97.x.x any eq telnet
 remark allow VNC from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 5900
 remark allow RDP from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 3389
 remark allow TELNET from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq telnet
 remark allowes C400 Data Gatherer
 permit tcp host 210.54.x.x any eq 52404
 remark allowes C400 Data Gatherer via UDP
 permit udp host 210.54.x.x any eq 52404
 permit tcp host 210.54.x.x any eq 52405
 permit udp host 210.54.x.x any eq 52405
ip access-list extended InternetOutbound
 permit ip any any
 permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit icmp any any
 remark allowes WWW
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq www
 remark allowes RDP
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 3389
 remark allowes VNC
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 5900
 remark allowes TELNET
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq telnet
 remark allowes C400 Data Gatherer
 permit tcp host 210.54.x.x any eq 52404
 remark allowes C400 Data Gatherer via UDP
 permit udp host 210.54.x.x any eq 52404
 permit tcp host 210.54.x.x any eq 52405
 permit udp host 210.54.x.x any eq 52405
ip access-list extended TAVPN
 permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.0.255
!
logging trap debugging
access-list 1 remark Local LAN
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 150 remark NAT bypass for VPN traffic
access-list 150 deny   ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 150 permit ip 192.168.16.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
snmp-server enable traps tty
snmp-server host 192.168.16.1 255.255.255.0
no cdp run
!
!
route-map nonat permit 10
 match ip address 150 130
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you
want to use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
 login local
 no modem enable
line aux 0
 stopbits 1
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 length 0
 transport input telnet
 transport output telnet ssh
!
scheduler max-task-time 5000
ntp server 218.185.224.8
end

Open in new window

0
Comment
Question by:aucklandnz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33471999
if you are tryin to reach from 10.10.10.0 netwrok , then u dont have the proper route
add

ip route 10.10.10.0 255.255.255.0 <gw>

or if you are trying from local lan 192.168.1.0
then add

access-list 23 permit 192.168.1.0 0.0.0.255
0
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 500 total points
ID: 33472006
Hi,

The problem that you leaved default setting on vty:

line vty 0 4
 access-class 23 in

if you not need it please disable:

line vty 0 4
 no access-class 23 in

If you want higher security plase set on acl 23 where do you want reach your router!

Best regards,
Istvan

0
 
LVL 3

Author Comment

by:aucklandnz
ID: 33472013
thanks for that

it works now

I have another question but will post under different post.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 3

Author Closing Comment

by:aucklandnz
ID: 33472014
Spot on
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 33472032
opps i rewarded points to the wrong person,

it should be ikalmar

how do i change it
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33472061
u awarded to ikalmar only ..
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 33472074
damn im too tired today ( time to go home) i meant it should be  anoopkmr

0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question