Question

  • Creator
    Topic
  • #2256714

    Cisco 1841 router not allowing access

    Locked

    by mclarksonaz ·

    I have a brand new Cisco 1841 with T1 WIC and the built in security
    package. I have never been able to connect to it from any port other
    than the serial console port. All others give no response. I have tried
    the html port, the telnet, SSH, and even ftp. I have configured them
    via the console cable and can ping them all day but can’t get any other
    response. What am I missing? Included below is a copy of “sh run”,
    edited to replace all public IP’s with 1.1.1.1 and password hashes and
    RSA Keys with *.

    router#sh run
    Building configuration…

    Current configuration : 6343 bytes
    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    service sequence-numbers
    !
    hostname router
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 10 log
    security passwords min-length 6
    logging buffered 51200 warnings
    logging console critical
    enable secret 5 *
    enable password 7 *
    !
    no aaa new-model
    !
    resource policy
    !
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    ip subnet-zero
    no ip source-route
    no ip gratuitous-arps
    ip cef
    !
    !
    ip inspect audit-trail
    ip inspect udp idle-time 1800
    ip inspect dns-timeout 7
    ip inspect tcp idle-time 14400
    ip inspect name autosec_inspect cuseeme timeout 3600
    ip inspect name autosec_inspect ftp timeout 3600
    ip inspect name autosec_inspect http timeout 3600
    ip inspect name autosec_inspect rcmd timeout 3600
    ip inspect name autosec_inspect realaudio timeout 3600
    ip inspect name autosec_inspect smtp timeout 3600
    ip inspect name autosec_inspect tftp timeout 30
    ip inspect name autosec_inspect udp timeout 15
    ip inspect name autosec_inspect tcp timeout 3600
    !
    !
    no ip bootp server
    ip domain name fakename.com
    ip name-server 1.1.1.1
    ip name-server 1.1.1.1
    ip ssh time-out 60
    ip ssh authentication-retries 2
    ip ssh source-interface FastEthernet0/0
    login block-for 5 attempts 5 within 5
    !
    !
    !
    crypto pki trustpoint TP-self-signed-*
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-*
    revocation-check none
    rsakeypair TP-self-signed-*
    !
    !
    crypto pki certificate chain TP-self-signed-*
    certificate self-signed 01*
    quit
    username cisco privilege 15 secret 5 *
    username administrator privilege 15 password 7 *
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    description EXTRA LAN PORT
    no ip address
    ip access-group 103 in
    ip access-group 101 out
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nbar protocol-discovery
    ip nat inside
    ip virtual-reassembly
    shutdown
    duplex auto
    speed auto
    no mop enabled
    !
    interface FastEthernet0/1
    description INSIDE LAN
    ip address 192.168.0.200 255.255.255.0
    ip access-group 103 in
    ip access-group 101 out
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nbar protocol-discovery
    ip nat inside
    ip rip v2-broadcast
    ip virtual-reassembly
    duplex auto
    speed auto
    no mop enabled
    !
    interface Serial0/0/0
    description OUTSIDE CENTURY TEL T1 INTERNET SERVICE
    bandwidth 1536
    ip address 1.1.1.1 255.255.255.252
    ip access-group 103 in
    ip access-group 101 out
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nbar protocol-discovery
    ip inspect autosec_inspect out
    ip nat outside
    ip rip v2-broadcast
    ip virtual-reassembly
    encapsulation ppp
    service-module t1 timeslots 1-24
    service-module t1 remote-alarm-enable
    service-module t1 fdl both
    !
    router rip
    version 2
    passive-interface FastEthernet0/1
    passive-interface Serial0/0/0
    network 192.168.0.0
    no auto-summary
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 1.1.1.1
    !
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip nat pool fakename 1.1.1.1 1.1.1.1 netmask 255.255.255.248
    ip nat inside source list 1 pool fakename overload
    ip nat inside source static tcp 192.168.0.200 23 64.238.253.242 23
    extendable
    !
    ip access-list extended autosec_firewall_acl
    permit udp any any eq bootpc
    deny ip any any
    permit ip host 192.168.0.14 any
    !
    logging trap debugging
    logging facility local2
    access-list 1 permit 192.168.0.0 0.0.0.255
    access-list 2 permit any
    access-list 23 permit 10.10.10.0 0.0.0.7
    access-list 101 permit tcp any any
    access-list 101 permit ip any any
    access-list 103 permit tcp any any
    access-list 103 permit icmp any any
    access-list 103 permit ip any any
    access-list 103 permit tcp any eq telnet host 192.168.0.200 eq telnet
    access-list compiled
    dialer-list 1 protocol ip permit
    no cdp run
    !
    !
    control-plane
    !
    banner login ^CCCC
    ——————————————————
    —————–
    Welcome to the router.

    Any unauthorized use of this system will be prosecuted to the full
    extent of the

    LAW. This system is monitored and logged.
    ^C
    !
    line con 0
    exec-timeout 60 0
    login local
    transport output telnet
    line aux 0
    exec-timeout 15 0
    transport output telnet
    line vty 0 4
    access-class 23 in
    exec-timeout 30 0
    privilege level 15
    password 7 01140E4C1218125D19
    login local
    transport input telnet
    line vty 5 15
    access-class 23 in
    privilege level 15
    password 7 121E0D18011F5E3C
    login
    transport input ssh
    !
    end

All Answers

  • Author
    Replies
    • #2579953

      Clarifications

      by mclarksonaz ·

      In reply to Cisco 1841 router not allowing access

      Clarifications

    • #2579950

      firmware version

      by sgt_shultz ·

      In reply to Cisco 1841 router not allowing access

      have you tried updating to the latest firmware?

      • #2604143

        Problem solved

        by mclarksonaz ·

        In reply to firmware version

        I did although that is not what fixed my problem.

        I had initially changed the IP of FastEthernet0/1 from the
        default IP to a 192.168.0.0 IP. In doing so I forgot to
        assign an access list allowing traffic from the new network
        on the tcp side. Hence the ability to ping worked (udp)
        but logging in didn’t. The offending lines were:

        ip http server ip http access-class 23
        and
        access-list 23 permit 10.10.10.0 0.0.0.7

        Access-list 1 had the correct range so I re-configured it
        to the http service to use that access list.

Viewing 1 reply thread