Installing a Cisco 877 ADSL Router- problem with remote access

Discussion in 'Other Cisco Equipment' started by arSouth, May 1, 2007.

  1. arSouth

    arSouth LI Guru Member

    I just set this up the past saturday, I can't get to the router with telnet or ssh from the outside. anyone want to look it over for me, just so i didn't miss anything. I can ping it. also trying to static nat a public address to an inside host. which is a juniper firewall. the juniper is getting stuff out to the router, not getting stuff back in. not getting outside.
    the inside users can get out fine. no problems.
    i don't know.

    hostname WAN-Router
    no logging buffered
    enable secret xxxxxxxxxxxxxx
    aaa new-model
    aaa authentication login default local
    aaa session-id common
    resource policy
    clock timezone GMT -6
    ip subnet-zero
    ip cef
    no ip domain lookup
    ip domain name none
    ip ssh source-interface Dialer1
    ip ssh version 2
    crypto key generate rsa
    crypto pki trustpoint TP-self-signed-2951937227
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-2951937227
    revocation-check none
    rsakeypair TP-self-signed-2951937227
    crypto pki certificate chain TP-self-signed-2951937227
    certificate self-signed 01
    30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 32393531 39333732 3237301E 170D3032 30333031 30303335
    33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39353139
    33373232 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100C6F9 B32A8310 554EEF5E 27EB2052 A50C45D0 60938CE6 B46B537A DE9BBFB2
    A8FE8665 BB992D66 A82080BA 126E5554 6877E7A1 350F14BE 8C889D6C 5F6D5BC6
    6220D37F E292E97B A3F5FCBE 65A5ED95 88C83F4F 736764A0 10A76040 B180721A
    18482C34 BB20B611 C8FD7B8F 7B555E38 B028FA30 B445A9E9 989BE7BE AFAE956D
    597D0203 010001A3 68306630 0F060355 1D130101 FF040530 030101FF 30130603
    551D1104 0C300A82 084D5743 5F57414E 2E301F06 03551D23 04183016 8014C232
    A1948F23 FB7C2B2F 4F17D4DF 1D6A4102 B07C301D 0603551D 0E041604 14C232A1
    948F23FB 7C2B2F4F 17D4DF1D 6A4102B0 7C300D06 092A8648 86F70D01 01040500
    03818100 0539A272 9FE869F1 C370C5F6 743C2251 E42D8466 9D6DF4D5 79CCB454
    C18AC92B A6B650C7 2D994EE8 A348E4C5 E68A26ED 52DC9696 FA2B2CE1 5C967F31
    9443B1A2 25C52E1D 1D25B8EF D0DDAF86 61CC1D2B 48887228 A1DD0075 45DEA8C8
    98C15096 4AE8DE45 CDD9440A 242FA037 569D15B7 ABF92FFF E2579BDB D7FA93AF 80DF6587
    username xxxxxxxxxxxx privilege 15 password xxxxxxxxxxxxxx
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    pvc 0/35
    encapsulation aal5snap
    pppoe-client dial-pool-number 1
    dsl operating-mode auto
    hold-queue 224 in
    interface FastEthernet0
    interface FastEthernet1
    interface FastEthernet2
    interface FastEthernet3
    interface Vlan1
    ip address
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    interface Dialer1
    mtu 1492
    ip address negotiated
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    keepalive 8 2
    ppp chap hostname xxxxxxxxxxxx
    ppp chap password xxxxxxxxxxxxx
    ppp pap sent-username xxxxxxxxxxxxxx password xxxxxxxxxxxxxxx
    ip classless
    ip route Dialer1
    no ip http server
    ip http secure-server
    ip nat inside source list 101 interface Dialer1 overload
    ip nat inside source static xxxxxxxxxxxx(public static ip from ISP)
    access-list 101 permit ip any any
    banner motd ^C
    This is a Private Network, unauthorized Access is Prohibited!!
    If you are not authorized to loggin, please log off right now!
    line con 0
    no modem enable
    line aux 0
    line vty 0 4
    login authentication local
    transport input all
    transport output all
    scheduler max-task-time 5000

  2. ifican

    ifican Network Guru Member

    A couple questions, you say inside users can get out. Does that include users behind the juniper firewall? The current nat static line is good as long as the ip's are correct, just know that if there. are no translations built, then anything hitting the outside interface of the router is going to get sent to that .200 ip. On your vty line, "login authentication local", i am not at all familiar with this command. Try using just "login local", which will authenticate the session against the local database. Also the "ip ssh source interface" command is telling the router to only look for ssh v2 sessions that are incomming from the dialer1 interface. I have to run right now but will look over this more later.
  3. arSouth

    arSouth LI Guru Member

    yeah, i just took out that ip ssh source interface command.
    the juniper is not getting out, that's one part of the problem.
    it's like the address are not responding.
    login authentication local is because of the aaa authentication is enable, i shut that off, and it went back to login local.
    and i was able to telnet and ssh into the router from the inside.

  4. ifican

    ifican Network Guru Member

    can the firewall ping the router both inside and dialer interface?
  5. arSouth

    arSouth LI Guru Member

    the Juniper, on the firewall, i can't find the ping utility.

    from the inside of the juniper, i can't ping outside, it's because NAT is not enable. I don't know how set that on the juniper, after all, i'm a cisco person.

    now, i'm suspecting the ISP filtered the ports, because when i run a nmap scan, all the ports shown were block, including, 22, 23, 80, 445, and etc.........
    so i guess that's what's wrong.
  6. ifican

    ifican Network Guru Member

    The juniper web gui is pretty good, however if you need to know how to set nat from the command line i have a juniper firewall up now i could take a look at and help you figure out. I no juniper cli master either, though i have been playing with it on and off for about 6 months now. Though you should not have to set nat to allow it to pass traffic, though you do have to set up a policy to allow traffic out, juniper is not like cisco or in the sense that it will allow traffic by default. Out of the box it is usually set up with an outbound allow all policy, though if it was reset or erased it might have gotten removed.

    As far as NMAP goes, the ports may be open but your isp my be actively blocking scans.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice