Telnet Problems

Discussion in 'Cisco' started by paul tomlinson, Apr 23, 2004.

  1. Guys i've set up VPN between three sites - but i'm having problems
    telnetting a server in one of the remote sites - i can send pings but
    not telnet (to an AS400 so port 23) AS400 is on 10.1.1.0 network

    Anyone got any ideas?

    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    no names
    access-list out-acl permit icmp any any echo-reply
    access-list out-acl permit icmp any any unreachable
    access-list out-acl permit icmp any any time-exceeded
    access-list out-acl permit icmp any any source-quench
    access-list out-acl permit icmp any any parameter-problem
    access-list out-acl permit tcp any any eq ssh
    access-list out-acl permit tcp any any eq pcanywhere-data
    access-list out-acl permit tcp any any eq 5632
    access-list out-acl permit tcp any any eq telnet
    access-list nonat permit ip 10.5.1.0 255.255.255.0 host 192.65.144.190
    access-list nonat permit ip 10.5.1.0 255.255.255.0 192.168.1.0
    255.255.255.0
    access-list nonat permit ip 10.5.1.0 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list nonat permit ip 10.5.1.0 255.255.255.0 10.1.1.0
    255.255.255.0
    access-list londonvpn permit ip 10.5.1.0 255.255.255.0 host
    192.65.144.190
    access-list londonvpn permit ip 10.5.1.0 255.255.255.0 host
    192.168.2.1
    access-list londonvpn permit ip 10.5.1.0 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list us-vpn permit ip 10.5.1.0 255.255.255.0 10.1.1.0
    255.255.255.0
    access-list us-vpn permit tcp 10.5.1.0 255.255.255.0 10.1.1.0
    255.255.255.0 eq telnet
    pager lines 24
    logging on
    logging monitor debugging
    mtu outside 1500
    mtu inside 1500
    ip address outside xxx.xxx.xxx.xxx 255.255.255.248
    ip address inside 10.5.1.10 255.255.255.0
    ip verify reverse-path interface outside
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool pptp-pool 192.168.1.1-192.168.1.50
    ip local pool pptp-pool1 192.168.2.1-192.168.2.50
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group out-acl in interface outside
    route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xx2 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
    crypto dynamic-map dynmap 50 set transform-set 3des-sha
    crypto map corpvpn 2 ipsec-isakmp
    crypto map corpvpn 2 match address londonvpn
    crypto map corpvpn 2 set peer yyy.yyy.yyy.yyy
    crypto map corpvpn 2 set transform-set 3des-sha
    crypto map corpvpn 20 ipsec-isakmp
    crypto map corpvpn 20 match address us-vpn
    crypto map corpvpn 20 set peer zzz.zzz.zzz.zzz
    crypto map corpvpn 20 set transform-set 3des-sha
    crypto map corpvpn interface outside
    isakmp enable outside
    isakmp key ******** address yyy.yyy.yyy.yyy netmask 255.255.255.255
    isakmp key ******** address zzz.zzz.zzz.zzz netmask 255.255.255.255
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 5 authentication pre-share
    isakmp policy 5 encryption 3des
    isakmp policy 5 hash sha
    isakmp policy 5 group 2
    isakmp policy 5 lifetime 3600
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    console timeout 0
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe auto
    vpdn group 1 client configuration address local pptp-pool1
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username remote password ********
    vpdn enable outside
    terminal width 80
     
    paul tomlinson, Apr 23, 2004
    #1
    1. Advertising

  2. paul tomlinson

    Ben Guest

    you have ip connectivity so look at the transport layer - this is assuming
    the application on the telnet server is ok

    do a debug telnet at each connecting router (and similar for the server).
    try to find out if telnet packets are getting through to the server.

    change or create access-lists at each hop to log telnet packets. see if
    there is an ACL somewhere blocking port 23.

    make sure your vty lines are configured with 'transport output telnet'


    "paul tomlinson" <> wrote in message
    news:...
    > Guys i've set up VPN between three sites - but i'm having problems
    > telnetting a server in one of the remote sites - i can send pings but
    > not telnet (to an AS400 so port 23) AS400 is on 10.1.1.0 network
    >
    > Anyone got any ideas?
    >
    > interface ethernet0 auto
    > interface ethernet1 auto
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > no names
    > access-list out-acl permit icmp any any echo-reply
    > access-list out-acl permit icmp any any unreachable
    > access-list out-acl permit icmp any any time-exceeded
    > access-list out-acl permit icmp any any source-quench
    > access-list out-acl permit icmp any any parameter-problem
    > access-list out-acl permit tcp any any eq ssh
    > access-list out-acl permit tcp any any eq pcanywhere-data
    > access-list out-acl permit tcp any any eq 5632
    > access-list out-acl permit tcp any any eq telnet
    > access-list nonat permit ip 10.5.1.0 255.255.255.0 host 192.65.144.190
    > access-list nonat permit ip 10.5.1.0 255.255.255.0 192.168.1.0
    > 255.255.255.0
    > access-list nonat permit ip 10.5.1.0 255.255.255.0 192.168.2.0
    > 255.255.255.0
    > access-list nonat permit ip 10.5.1.0 255.255.255.0 10.1.1.0
    > 255.255.255.0
    > access-list londonvpn permit ip 10.5.1.0 255.255.255.0 host
    > 192.65.144.190
    > access-list londonvpn permit ip 10.5.1.0 255.255.255.0 host
    > 192.168.2.1
    > access-list londonvpn permit ip 10.5.1.0 255.255.255.0 192.168.2.0
    > 255.255.255.0
    > access-list us-vpn permit ip 10.5.1.0 255.255.255.0 10.1.1.0
    > 255.255.255.0
    > access-list us-vpn permit tcp 10.5.1.0 255.255.255.0 10.1.1.0
    > 255.255.255.0 eq telnet
    > pager lines 24
    > logging on
    > logging monitor debugging
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside xxx.xxx.xxx.xxx 255.255.255.248
    > ip address inside 10.5.1.10 255.255.255.0
    > ip verify reverse-path interface outside
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool pptp-pool 192.168.1.1-192.168.1.50
    > ip local pool pptp-pool1 192.168.2.1-192.168.2.50
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list nonat
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > access-group out-acl in interface outside
    > route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xx2 1
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > sysopt connection permit-pptp
    > crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
    > crypto dynamic-map dynmap 50 set transform-set 3des-sha
    > crypto map corpvpn 2 ipsec-isakmp
    > crypto map corpvpn 2 match address londonvpn
    > crypto map corpvpn 2 set peer yyy.yyy.yyy.yyy
    > crypto map corpvpn 2 set transform-set 3des-sha
    > crypto map corpvpn 20 ipsec-isakmp
    > crypto map corpvpn 20 match address us-vpn
    > crypto map corpvpn 20 set peer zzz.zzz.zzz.zzz
    > crypto map corpvpn 20 set transform-set 3des-sha
    > crypto map corpvpn interface outside
    > isakmp enable outside
    > isakmp key ******** address yyy.yyy.yyy.yyy netmask 255.255.255.255
    > isakmp key ******** address zzz.zzz.zzz.zzz netmask 255.255.255.255
    > isakmp identity address
    > isakmp nat-traversal 20
    > isakmp policy 5 authentication pre-share
    > isakmp policy 5 encryption 3des
    > isakmp policy 5 hash sha
    > isakmp policy 5 group 2
    > isakmp policy 5 lifetime 3600
    > telnet 0.0.0.0 0.0.0.0 inside
    > telnet timeout 5
    > ssh 0.0.0.0 0.0.0.0 outside
    > ssh timeout 5
    > console timeout 0
    > vpdn group 1 accept dialin pptp
    > vpdn group 1 ppp authentication pap
    > vpdn group 1 ppp authentication chap
    > vpdn group 1 ppp authentication mschap
    > vpdn group 1 ppp encryption mppe auto
    > vpdn group 1 client configuration address local pptp-pool1
    > vpdn group 1 pptp echo 60
    > vpdn group 1 client authentication local
    > vpdn username remote password ********
    > vpdn enable outside
    > terminal width 80
     
    Ben, Apr 25, 2004
    #2
    1. Advertising

  3. In article <amKic.9259$>,
    Ben <> top-posted:
    :you have ip connectivity so look at the transport layer - this is assuming
    :the application on the telnet server is ok

    :make sure your vty lines are configured with 'transport output telnet'

    Normally sound advice, but notice...

    :"paul tomlinson" <> wrote in message
    :news:...

    :> no names

    That command and some of the others listed by Paul are dead giveaways
    that Paul is trying to configure a PIX, not an IOS device. PIX do not
    have vty lines or any equivilent to 'transport output telnet'.
    --
    "I want to make sure [a user] can't get through ... an online
    experience without hitting a Microsoft ad"
    -- Steve Ballmer [Microsoft Chief Executive]
     
    Walter Roberson, Apr 25, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. paul tomlinson

    Telnet problems

    paul tomlinson, Apr 19, 2004, in forum: Cisco
    Replies:
    0
    Views:
    451
    paul tomlinson
    Apr 19, 2004
  2. paul tomlinson

    Telnet problems

    paul tomlinson, Apr 20, 2004, in forum: Cisco
    Replies:
    0
    Views:
    478
    paul tomlinson
    Apr 20, 2004
  3. paul tomlinson

    Telnet Problems

    paul tomlinson, Apr 21, 2004, in forum: Cisco
    Replies:
    0
    Views:
    466
    paul tomlinson
    Apr 21, 2004
  4. paul tomlinson

    Telnet Problems

    paul tomlinson, Apr 22, 2004, in forum: Cisco
    Replies:
    0
    Views:
    431
    paul tomlinson
    Apr 22, 2004
  5. Jack B. Pollack
    Replies:
    4
    Views:
    1,296
    Zaltor
    Jul 24, 2003
Loading...

Share This Page