1. Home
  2. Cisco Systems
  3. cannot telnet to FR serial interface from outside

cannot telnet to FR serial interface from outside

I am setting up a Cisco router 1840 with the external serial interface is a fractional T1 with frame-relay encapsulation ( which connects to an ISP ). All the internal PCs can access to the Internet fine. From my office ( outside of this router ), I can ping to the ip address of the external interface but I can not telnet or ssh into. There is no access-list.

The configuration for the serial interface is as follows :( x1.y1.y1.t1 is the default gateway ) interface Serial0/0/0 ip address x.y.z.t 255.255.255.252 ip nat outside ip virtual-reassembly encapsulation frame-relay IETF service-module t1 timeslots 1-8 service-module t1 remote-alarm-enable frame-relay map x1.y1.y1.t1 678 broadcast IETF frame-relay lmi-type ansi crypto ipsec client ezvpn yyy

ip route 0.0.0.0 0.0.0.0 x1.y1.y1.t1

line vty 0 4 privilege level 15 password mypassword login transport input telnet ssh

Any advice is really appreciated.

DT

Reply to
dt1649651
Loading thread data ...

How is your NAT configured? A relativley common mistake is making the ACL used for NAT too broad, 'access-list 1 permit any' for instance. The end result is that the telnet return traffic from the router is natted, because you told it to.

So you connect to port 23, and get an answer back from port 1050 or something. Quick test is to take 'ip nat outside' off the interface and see if you can telnet in then.

Reply to
Martin Gallagher

Thanks, Martin. The NAT list is configured to nat only for the internal network "access-list 100 permit ip 192.168.1.0 0.0.0.255 any . I also took that line out but it does not help.

DT

Reply to
dt1649651

Do you have CBAC config?

If so please post your entire config

Reply to
Merv

Yes, I do, but I just found out a little closer where the problem is.

It is the command "crypto ipsec client ezvpn yyy". When I take the command out, I can telnet/ssh just fine.

Running the debug shows with that command on, the returning packets for the telnet requests are NATted.

Can not see immediately the relationship between nat and that crypto ipsec.

Any comments are gretly appreciated.

DT

Reply to
dt1649651

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.