• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 403
  • Last Modified:

Cisco 800 series - can not telnet through from an embedded unit

We have many embedded units in the field that use telnet to send email alerts (port 25). I seem to have difficultly from time to time with router configurations. The router config is attached. In this router I configured it with SDM (I am still learning the ins and outs of CLI - getting pretty familiar with it) I did not configure a firewall. When I ty to send a test email on a system that works I can see the NAT translation using the SHO NAT TRANS in CLI - when I send a test email on this system I do not see a port 25 from embedded computer. I can VPN into the embedded computer (it has a webserver on it) and I see port 80 in the nat trans.

My question is - does the access list block first or is it a NAT problem?

Building configuration...

Current configuration : 5353 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname xxxxx
logging buffered 51200
logging console critical
enable secret 5 $1$T9T7$1QwL9u3c.FSzZEz8F5CDp1
aaa new-model
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-41002357
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-41002357
 revocation-check none
 rsakeypair TP-self-signed-41002357
crypto pki certificate chain TP-self-signed-41002357
 certificate self-signed 01
  3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34313030 32333537 301E170D 30323033 30313033 31353039
  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D343130 30323335
  3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100AE79
  48790E6A 79A9F4D7 C4D24E14 7A58F5D8 A351D2A1 10EB6EDC 0D4EAD84 89F6A03B
  DBAFD84C D67CFABA D86D10EE F66C40DD 0E17B4D7 07F06CA5 FD9FD320 147712B9
  376D6429 AA41F5B1 AE9E935D BFBBC660 D3214E9D 3E445DDB 58F62350 92D41459
  C82987A7 BAFF0BDD F17C042D DF41B267 5EB48288 B2EBE787 A9453478 A8BD0203
  010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 551D1104
  1B301982 17526F75 74657243 572E4675 74757261 77617368 2E636F6D 301F0603
  551D2304 18301680 14E20749 776A764B 67C1B92C 924A42D9 23217DE4 DF301D06
  03551D0E 04160414 E2074977 6A764B67 C1B92C92 4A42D923 217DE4DF 300D0609
  2A864886 F70D0101 04050003 81810065 2A0D65EE 1392D292 C547ACAA 665CA2BE
  0215CE2F 0B53EE44 48272C6F E5ECFAB3 C1B73254 4D1EEED8 D5C670B5 7F84C731
  E27039B5 62E76F32 81C2FA51 D23BF5FE 57ABE4E9 D4E9398F E3A4AD2C 2AB48049
  60474B89 F0DFD597 D9264E99 2E66A95F 7BDE4E63 6A1A22A5 5EA7DDEE C23782EF
  5E82F84D B7ED4989 DEEFAC3F 384E08
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address
ip dhcp pool sdm-pool1
   import all
   dns-server 68.xx.xxx.x 68.xx.xxx.x
ip cef
no ip bootp server
ip domain name xxxxxxxxx.com
ip name-server 68.xx.xxx.x
ip name-server 68.xx.xxx.x
username xxxx privilege 15 secret 5 $1$P8gP$LBN.HjEWWyAsnGLoKpQr8/
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration group xxxx
 key xxxxxxxx
 pool SDM_POOL_1
 acl 100
 max-users 10
crypto isakmp profile sdm-ike-profile-1
   match identity group sams
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile SDM_Profile1
 set security-association idle-time 18000
 set transform-set ESP-3DES-SHA
 set isakmp-profile sdm-ike-profile-1
 log config
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
 description $FW_OUTSIDE$$ES_WAN$
 ip address 99.xx.xxx.xxx
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet4
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
interface Vlan1
 ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
ip local pool SDM_POOL_1
ip forward-protocol nd
ip route 99.xx.xxx.xxx
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 443 interface FastEthernet4 443
ip nat inside source list 1 interface FastEthernet4 overload
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip any
access-list 100 permit ip any
no cdp run
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 privilege level 15
 transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500

Open in new window

  • 2
1 Solution
It's my understanding that the access-lists from a brand new cisco router does not block anything, so all your ports should be open. But I am just a CCENT... which I took like 6 months ago, so maybe someone with more knowledge could answer that.

With that said you may want to try an:

access-list 100 permit TCP any any 25

I think that is it, that is from memory but I believe that should unblock TCP 25 port for any network address.
JeffA123Author Commented:
Looks like the command should be:

access-list 100 permit tcp any any eq 25

eq is equal
Did it work for you? Or have you concluded that it wasn't a blocking issue?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now