Solved

Cisco 800 series - can not telnet through from an embedded unit

Posted on 2010-08-27
3
392 Views
Last Modified: 2012-06-21
We have many embedded units in the field that use telnet to send email alerts (port 25). I seem to have difficultly from time to time with router configurations. The router config is attached. In this router I configured it with SDM (I am still learning the ins and outs of CLI - getting pretty familiar with it) I did not configure a firewall. When I ty to send a test email on a system that works I can see the NAT translation using the SHO NAT TRANS in CLI - when I send a test email on this system I do not see a port 25 from embedded computer. I can VPN into the embedded computer (it has a webserver on it) and I see port 80 in the nat trans.

My question is - does the access list block first or is it a NAT problem?

Building configuration...

Current configuration : 5353 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$T9T7$1QwL9u3c.FSzZEz8F5CDp1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-41002357
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-41002357
 revocation-check none
 rsakeypair TP-self-signed-41002357
!
!
crypto pki certificate chain TP-self-signed-41002357
 certificate self-signed 01
  3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34313030 32333537 301E170D 30323033 30313033 31353039
  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D343130 30323335
  3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100AE79
  48790E6A 79A9F4D7 C4D24E14 7A58F5D8 A351D2A1 10EB6EDC 0D4EAD84 89F6A03B
  DBAFD84C D67CFABA D86D10EE F66C40DD 0E17B4D7 07F06CA5 FD9FD320 147712B9
  376D6429 AA41F5B1 AE9E935D BFBBC660 D3214E9D 3E445DDB 58F62350 92D41459
  C82987A7 BAFF0BDD F17C042D DF41B267 5EB48288 B2EBE787 A9453478 A8BD0203
  010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 551D1104
  1B301982 17526F75 74657243 572E4675 74757261 77617368 2E636F6D 301F0603
  551D2304 18301680 14E20749 776A764B 67C1B92C 924A42D9 23217DE4 DF301D06
  03551D0E 04160414 E2074977 6A764B67 C1B92C92 4A42D923 217DE4DF 300D0609
  2A864886 F70D0101 04050003 81810065 2A0D65EE 1392D292 C547ACAA 665CA2BE
  0215CE2F 0B53EE44 48272C6F E5ECFAB3 C1B73254 4D1EEED8 D5C670B5 7F84C731
  E27039B5 62E76F32 81C2FA51 D23BF5FE 57ABE4E9 D4E9398F E3A4AD2C 2AB48049
  60474B89 F0DFD597 D9264E99 2E66A95F 7BDE4E63 6A1A22A5 5EA7DDEE C23782EF
  5E82F84D B7ED4989 DEEFAC3F 384E08
        quit
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.32.1 192.168.32.229
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.32.0 255.255.255.0
   dns-server 68.xx.xxx.x 68.xx.xxx.x
   default-router 192.168.32.1
!
!
ip cef
no ip bootp server
ip domain name xxxxxxxxx.com
ip name-server 68.xx.xxx.x
ip name-server 68.xx.xxx.x
!
!
!
username xxxx privilege 15 secret 5 $1$P8gP$LBN.HjEWWyAsnGLoKpQr8/
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group xxxx
 key xxxxxxxx
 pool SDM_POOL_1
 acl 100
 max-users 10
crypto isakmp profile sdm-ike-profile-1
   match identity group sams
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
 set security-association idle-time 18000
 set transform-set ESP-3DES-SHA
 set isakmp-profile sdm-ike-profile-1
!
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $FW_OUTSIDE$$ES_WAN$
 ip address 99.xx.xxx.xxx 255.255.255.24x
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet4
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.32.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 192.168.33.5 192.168.33.15
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 99.xx.xxx.xxx
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.32.100 443 interface FastEthernet4 443
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.32.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.32.0 0.0.0.255 any
access-list 100 permit ip 192.168.33.0 0.0.0.255 any
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Open in new window

0
Comment
Question by:JeffA123
  • 2
3 Comments
 

Accepted Solution

by:
Bardlebee earned 250 total points
ID: 33546654
It's my understanding that the access-lists from a brand new cisco router does not block anything, so all your ports should be open. But I am just a CCENT... which I took like 6 months ago, so maybe someone with more knowledge could answer that.

With that said you may want to try an:

access-list 100 permit TCP any any 25

I think that is it, that is from memory but I believe that should unblock TCP 25 port for any network address.
0
 

Author Closing Comment

by:JeffA123
ID: 33560097
Looks like the command should be:

access-list 100 permit tcp any any eq 25

eq is equal
0
 

Expert Comment

by:Bardlebee
ID: 33560260
Did it work for you? Or have you concluded that it wasn't a blocking issue?
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now