Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I cannot telnet to my Ethernet0 interface from the outside. Ethernet0 is my WAN interface, and Ethernet1 is my LAN interface which is doing NAT. I am able to telnet to the module from the LAN side, using the LAN IP. I have written an access-list that permits incoming telnet from the outside from a certain subnet. When a telnet connection is attempted from a permitted IP, the counter on the rule increments, but I do not get a login screen.
Here is what I have configured for terminal access:
line con 0
line vty 0 3
password 7 105D5D5D24444012
login
line vty 4
login
!
end
0 
Here it is.
access-list 150 permit icmp 12.175.125.0 0.0.0.127 any echo
access-list 150 permit icmp 156.12.0.0 0.0.255.255 any echo
access-list 150 deny icmp any any echo
access-list 150 permit tcp host 12.175.125.2 any eq telnet
access-list 150 permit tcp host 12.175.125.3 any eq telnet
access-list 150 permit tcp 156.12.0.0 0.0.255.255 any eq telnet
access-list 150 permit tcp 12.175.125.0 0.0.0.127 any eq 48294
access-list 150 permit tcp 156.12.0.0 0.0.255.255 any eq 48294
access-list 150 deny tcp any any eq 48294
access-list 150 deny 53 any any
access-list 150 deny 55 any any
access-list 150 deny 77 any any
access-list 150 deny 103 any any
access-list 150 deny tcp any any eq telnet
access-list 150 deny udp any any range 135 netbios-ss
access-list 150 deny udp any any range 1433 1434
access-list 150 deny udp any any eq 443
access-list 150 deny udp any any eq 445
access-list 150 permit udp any any
access-list 150 deny tcp any any range 135 139
access-list 150 deny tcp any any range 1433 1434
access-list 150 deny tcp any any eq 1080
access-list 150 deny tcp any any eq 8080
access-list 150 deny tcp any any eq 3120
access-list 150 deny tcp any any eq smtp
access-list 150 permit ip any any
0
ok i automatically assumes you are using private ip address inside your network, right?
what kind the NAT are we talking about here?
port address translation, static, or dynamic NAT?lets just say if thats the case, then you will have to configure your NAT to translate
correct me if i am wrong, i am not very good at this
0
I don't see what NAT has to do with it. I do not need to traverse the NAT to telnet to a machine on the local LAN. All I need to do is telnet to the unit's WAN port, Ethernet0, which has a public routable IP address.
Like I said before, the ACL for telnet permissions seem to work correctly, because the appropriate rule counters increment when I attempt connections. So the TCP connection is established on TCP:23, it just seems as if the Cisco is not returning anything. I sniffed traffic and the Cisco is indeed not sending back any ACKs.
0
sorry for making this unclear
the reason why telnet work isnide your LAN is 1: you are using private ip addressing 2: NAT has not effect inside the LAN
you know what is "inside local", "inside global " and "outside global" is right??
12.175.125.2, 12.175.125.3, 156.12.0.0, those ip addresses are going to be the outside global ip address, that is, routable addresses
lets say when 12.175.125.2 trying to telnet into the router, your predefined ACL will increment 1, but you will not get a telnet screen becasue of NAT
let me explain this, lets assume you got 10.10.10.1 for your E1, and 200.2.2.17 for your E0, when the telnet comes in, your acl will act, but router will not send any response becasue 10.10.10.1 will not be able to translate into inside global ip address, and therefore it will not be routed.
0
lets try this
lets assume your router is named LANgo into conf t first
so it will be like this
lan(config)#access-list 1 permit 10.10.10.0 0.0.0.255
lan(config)#ip nat inside source list 1 interface e0 overloadnow you have to specify the interfaces
lan(config)#interface ethernet 1
lan(config-if)#ip nat inside
lan(config-if)#interface e0
lan(config-if)#ip nat outside
"the reason why telnet work isnide your LAN is 1: you are using private ip addressing 2: NAT has not effect inside the LAN"let me clarify that statement, i didn't make it clear. NAT has no effect inside LAN because its not going to be routed out your E0 interface, NAT doesn't care whats going on inside your LAN, it only cares about the packet being send out and translates that address into public recognizable address
0
i am sorry i forgot to add one more thing
lan(config)#ip route 0.0.0.0 0.0.0.0 ethernet 0that will foward any unknown destination traffic out to ethernet 0
0
Ryan,
I appreciate your help. However, I already have my router properly configured for NAT. All nodes connected to E1 are on 192.168.1.0/24, and NAT to my E0 IP address. I have exactly what you posted in terms of configuration for the NAT.
I still do not understand why NAT would have anything to to do with telnetting to an interface that has a public, routable IP address.
The problem has to be something else....
0
ok since i am puzzled too :P i decided to look it up on my cisco book
i saw something that might help you to solve the problem
did you apply access-class to your vty lines when you create the ACL?
0
NAT is not really part of this (unless this is a router behind a router).
Have you checked that telnet is enabled for VTY's (because I think its disabled by default)? The command is transport input $protocol_type, where $protocol_type could be something like all or telnet.
Something like:
line vty 0 4
transport input telnet
login password $password_stringOf course, you can use an auth list too. Doublecheck the syntax, I don't maintain routers by day.
0
well i am out of the ideas
you might want to try ask your question on the cisco forum
http://forums.cisco.com/eforum/servlet/NetProf?page=main
0
I ended up fixing it, kind of. Since I can successfully telnet to the device from the Ethernet1 side of the router, I decided to port forward any telnet requests on the Ethernet0 side of the router to the IP address of Ethernet1. This works, but it's not how I would like to do it.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
