Solved

Enable telnet to outside interface in NAT router (Cisco 1841)

Posted on 2012-03-12
11
3,374 Views
Last Modified: 2012-05-12
Hi everyone,

How do i enable telnet to outside interface in NAT router (Cisco 1841)?
I've searched in EE and i found this, but still not working

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_25291904.html

This is my config

BTG-LAN-1#sh start
Using 2293 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname BTG-LAN-1
!
boot-start-marker
boot system flash c1841-adventerprisek9-mz.124-24.T6.bin
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.1.1 10.10.1.100
!
ip dhcp pool tm
   network 10.10.1.0 255.255.255.0
   default-router 10.10.1.1 
   dns-server 202.188.0.133 202.188.1.5 8.8.8.8 
!
!
ip cef
ip name-server 202.188.1.5
ip name-server 202.188.0.133
ip name-server 8.8.8.8
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
username manager privilege 15 secret 5 $1$sad3$EFEyT3O5KatGz619s2Hu70
archive
 log config
  hidekeys
! 
!
!
!
!
!
!
!
interface FastEthernet0/0
 description *** Unifi FTTx interface ***
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 encapsulation dot1Q 500
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
 description *** LAN interface ***
 ip address 10.10.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Serial0/1/0
 no ip address
 shutdown
 clock rate 2000000
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname betategap@unifibiz
 ppp chap password 7 083747635C0A1C0D22011B230E05
 ppp pap sent-username betategap@unifibiz password 7 03125026531C38567E030E22333C4B
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
!
!
ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload
!
ip access-list extended DSL_ACCESSLIST
 permit ip any any
!
access-list 23 permit any
dialer-list 1 protocol ip permit
!
!
!
!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 30 0
 password 7 01313237793C2A3E701B1958
 login local
line aux 0
line vty 0 4
 access-class 23 in
 exec-timeout 0 0
 password 7 13272321293B281B7A737F62
 login
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

BTG-LAN-1# 

Open in new window

0
Comment
Question by:netazim
  • 7
  • 3
11 Comments
 
LVL 17

Expert Comment

by:lruiz52
ID: 37713394
I would recommend setting up SSH instead of telnet for outside access, but for telnet try below;

create an access-list 101 like below for telnet:
access-list 101 permit tcp any any established
access-list 101 permit tcp any any eq telnet
access-list 101 deny ip any any

and apply to your dialer interface.
int dialer 1
ip access-group 101 in

If you want to only allow certain IPs access to telnet then modify
access-list 23 and apply it to the line:

access-list 23 permit xxx.xxx.xxx.xxx
access-list 23 permit xxx.xxx.xxx.xxx
access-list 23 deny any

hope this helps.
0
 
LVL 11

Expert Comment

by:Khandakar Ashfaqur Rahman
ID: 37713971
Ir's better to use SSH for security reason.And to access into your router from outside interface you need to know the Public IP of your OUT interface.If that is dynamic then it's quite difficult for you to collect current Public IP of your router again and again.
0
 
LVL 1

Author Comment

by:netazim
ID: 37718604
Hi,

I've put

access-list 101 permit ip any any

and

interface Dialer1
 ip access-group 101 in


but still not working, do i have to reboot the router?
0
 
LVL 1

Author Comment

by:netazim
ID: 37718607
btw,

what is "access-list 101 permit tcp any any established" actually?
0
 
LVL 17

Expert Comment

by:lruiz52
ID: 37718635
Go ahead and try a reboot,


The "established" keyword is used to indicate an established connection for TCP protocol. An established connection can be considered as the TCP traffic originating inside your network, not from an external network.

This means that the packets belong to an existing connection if the Transmission Control Protocol (TCP) segment has the Acknowledgment (ACK) or Reset (RST) bit set.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 1

Author Comment

by:netazim
ID: 37720479
I've rebooted the router but still i can't telnet to that router using outside interface...
0
 
LVL 1

Author Comment

by:netazim
ID: 37720519
this is the latest file

BTG-LAN-1#sh ver
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(24)T6,
 RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Tue 23-Aug-11 00:41 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

BTG-LAN-1 uptime is 3 hours, 8 minutes
System returned to ROM by power-on
System image file is "flash:c1841-adventerprisek9-mz.124-24.T6.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 1841 (revision 7.0) with 120832K/10240K bytes of memory.
Processor board ID FHK1249213X
2 FastEthernet interfaces
1 Serial(sync/async) interface
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

BTG-LAN-1#sh start
Using 2341 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname BTG-LAN-1
!
boot-start-marker
boot system flash c1841-adventerprisek9-mz.124-24.T6.bin
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.1.1 10.10.1.100
!
ip dhcp pool tm
   network 10.10.1.0 255.255.255.0
   default-router 10.10.1.1
   dns-server 202.188.0.133 202.188.1.5 8.8.8.8
!
!
ip cef
ip name-server 202.188.1.5
ip name-server 202.188.0.133
ip name-server 8.8.8.8
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
username manager privilege 15 secret 5 $1$sad3$EFEyT3O5KatGz619s2Hu70
archive
 log config
  hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 description *** Unifi FTTx interface ***
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 encapsulation dot1Q 500
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
 description *** LAN interface ***
 ip address 10.10.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Serial0/1/0
 no ip address
 shutdown
 clock rate 2000000
!
interface Dialer1
 ip address negotiated
 ip access-group 101 in
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname betategap@unifibiz
 ppp chap password 7 083747635C0A1C0D22011B230E05
 ppp pap sent-username betategap@unifibiz password 7 03125026531C38567E030E22333
C4B
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
!
!
ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload
!
ip access-list extended DSL_ACCESSLIST
 permit ip any any
!
access-list 23 permit any
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
!
!
!
!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 30 0
 password 7 01313237793C2A3E701B1958
line aux 0
line vty 0 4
 access-class 23 in
 exec-timeout 0 0
 password 7 13272321293B281B7A737F62
 login
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

BTG-LAN-1#

Open in new window

0
 
LVL 17

Expert Comment

by:lruiz52
ID: 37720831
try adding lines below;

ip http server
ip http access-class 23

and try this;

line vty 0 4
  login local

then log in as manager.
0
 
LVL 1

Author Comment

by:netazim
ID: 37721080
ip http server
ip http access-class 23

i've done that
see my config above

line vty 0 4
  login local
i've added this, cant telnet yet.. :-(
0
 
LVL 1

Accepted Solution

by:
netazim earned 0 total points
ID: 37940411
the solution is using this config

ip nat inside source static tcp 10.10.1.1 23 interface dialer1 23

Open in new window

0
 
LVL 1

Author Closing Comment

by:netazim
ID: 37960055
i googled it and found this and tried this and it's working
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Join & Write a Comment

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now