Questions

Cisco 1841 router not allowing access

Tags:
+
0 Votes
Locked

Cisco 1841 router not allowing access

mclarksonaz
I have a brand new Cisco 1841 with T1 WIC and the built in security
package. I have never been able to connect to it from any port other
than the serial console port. All others give no response. I have tried
the html port, the telnet, SSH, and even ftp. I have configured them
via the console cable and can ping them all day but can't get any other
response. What am I missing? Included below is a copy of "sh run",
edited to replace all public IP's with 1.1.1.1 and password hashes and
RSA Keys with *.


router#sh run
Building configuration...

Current configuration : 6343 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 51200 warnings
logging console critical
enable secret 5 *
enable password 7 *
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip cef
!
!
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
!
!
no ip bootp server
ip domain name fakename.com
ip name-server 1.1.1.1
ip name-server 1.1.1.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface FastEthernet0/0
login block-for 5 attempts 5 within 5
!
!
!
crypto pki trustpoint TP-self-signed-*
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-*
revocation-check none
rsakeypair TP-self-signed-*
!
!
crypto pki certificate chain TP-self-signed-*
certificate self-signed 01*
quit
username cisco privilege 15 secret 5 *
username administrator privilege 15 password 7 *
!
!
!
!
!
interface FastEthernet0/0
description EXTRA LAN PORT
no ip address
ip access-group 103 in
ip access-group 101 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
shutdown
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description INSIDE LAN
ip address 192.168.0.200 255.255.255.0
ip access-group 103 in
ip access-group 101 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat inside
ip rip v2-broadcast
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
description OUTSIDE CENTURY TEL T1 INTERNET SERVICE
bandwidth 1536
ip address 1.1.1.1 255.255.255.252
ip access-group 103 in
ip access-group 101 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip inspect autosec_inspect out
ip nat outside
ip rip v2-broadcast
ip virtual-reassembly
encapsulation ppp
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
service-module t1 fdl both
!
router rip
version 2
passive-interface FastEthernet0/1
passive-interface Serial0/0/0
network 192.168.0.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat pool fakename 1.1.1.1 1.1.1.1 netmask 255.255.255.248
ip nat inside source list 1 pool fakename overload
ip nat inside source static tcp 192.168.0.200 23 64.238.253.242 23
extendable
!
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
permit ip host 192.168.0.14 any
!
logging trap debugging
logging facility local2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit any
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 101 permit tcp any any
access-list 101 permit ip any any
access-list 103 permit tcp any any
access-list 103 permit icmp any any
access-list 103 permit ip any any
access-list 103 permit tcp any eq telnet host 192.168.0.200 eq telnet
access-list compiled
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
banner login ^CCCC
------------------------------------------------------
-----------------
Welcome to the router.

Any unauthorized use of this system will be prosecuted to the full
extent of the

LAW. This system is monitored and logged.
^C
!
line con 0
exec-timeout 60 0
login local
transport output telnet
line aux 0
exec-timeout 15 0
transport output telnet
line vty 0 4
access-class 23 in
exec-timeout 30 0
privilege level 15
password 7 01140E4C1218125D19
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
password 7 121E0D18011F5E3C
login
transport input ssh
!
end
  • +
    0 Votes
    sgt_shultz

    have you tried updating to the latest firmware?

    +
    0 Votes
    mclarksonaz

    I did although that is not what fixed my problem.

    I had initially changed the IP of FastEthernet0/1 from the
    default IP to a 192.168.0.0 IP. In doing so I forgot to
    assign an access list allowing traffic from the new network
    on the tcp side. Hence the ability to ping worked (udp)
    but logging in didn't. The offending lines were:

    ip http server ip http access-class 23
    and
    access-list 23 permit 10.10.10.0 0.0.0.7

    Access-list 1 had the correct range so I re-configured it
    to the http service to use that access list.

    +
    0 Votes
    sgt_shultz

    thanks for posting your solution

  • +
    0 Votes
    sgt_shultz

    have you tried updating to the latest firmware?

    +
    0 Votes
    mclarksonaz

    I did although that is not what fixed my problem.

    I had initially changed the IP of FastEthernet0/1 from the
    default IP to a 192.168.0.0 IP. In doing so I forgot to
    assign an access list allowing traffic from the new network
    on the tcp side. Hence the ability to ping worked (udp)
    but logging in didn't. The offending lines were:

    ip http server ip http access-class 23
    and
    access-list 23 permit 10.10.10.0 0.0.0.7

    Access-list 1 had the correct range so I re-configured it
    to the http service to use that access list.

    +
    0 Votes
    sgt_shultz

    thanks for posting your solution