ASN 13.20 telnet access reconfiguration with bcc 2

[dtabera]

I am new to Nortel routers, and I have to reconfigure an ASN running version 13.20. I have to open telnet access that it is now restricted to a range of IPs. I am using bcc as I do not have Site Manager, and with show config -r -v I do not find any traffic-filter or access-policy.

Any other place to search in the configuration?
Which Site Manager version should be appropiate for this router? Where can I get it?

Thank you very much, I will try to help you in Cisco sections ;-)

Diego.

 

[Jynxx]

I would personally recommend 15.3 code for this router. It has been rock solid for me since I installed it. You will have to get this from Nortel's support site. You will need contract maintenance on the device in order to access this, however. I have had luck, at certain times, working through our Nortel account rep for getting software for devices that are not yet under maintenance, so that is another option.

You can also download Site Manager from there as well. I have found that Site Manager is the easiest way to write filters. You have to go into the interface that you want to create the filter on, go under protocols, IP, make a "template" (which is just any valid combination of an action and a criteria. Then when you create the true filter, you can just use your newly created template, and change the action, criteria around to suit your needs for the correct filter.

 

[dtabera]

Thank you very much. We are trying to contact our vendor to see if we can get the software. We will have to be very convincing, as we do not have a maintenance contract
About version 15.3, I will take into account your advice, but maybe it is going to be kind of difficult: the ASN is a new equipment to us, and right now is in production. That would mean weekend work, and without solid knowledge on Nortel!

What is really going me mad is that thing about filters in ip module: when I access using BCC, I cannot see any under IP. Besides, whith log configured to debugging level, wrong telnet connections (I mean, from non-permitted sources) are not recorded!

I hope that site manager would ease my life.

Thanks,

Diego.

 

[xplicit]

The traffic filters are configured under the specified port, either ethernet or serial and so on. If you send me a copy of the config (sho conf -a in bcc) and the log entry using log -ffwitd -eTELNET. Are you using SNMP to connect ? You may want to check if your telnet settings. I have a copy of site Manager and of 15.4.01 which I can try to email to you.

 

[dtabera]

To xplicit:

I have the output of show config -all, some traces I got recently and I am using telnet to connect from the LAN. The problem arises when trying to telnet from outbound. I have collected some .txt files and I am not sure there is enough space in this message for all that. Is there any other means to contact you? I give you my email: dtabera@adatel.es, to send you the files (of course if you do not have any inconvenience) on reply.

The worst thing about all that is that the router is 300 kilometres away! And I can not reach it remotely right now, so I cannot try many things. As a matter of fact, I cannot try "log -ffwitd -e TELNET"

Regarding Site Manager, I got yesterday Site Manager v.14.20. The ASN router has 13.20 version and I was advised not to use Site Manager 14.20 because I was told it does not work. I would need v.14.0.30. Is that right? Do Site Manager have to match router version? Do you have this one?

Thank you very much, I appreciate your interest.

 

[Jynxx]

According to every Nortel support rep I have ever talked to, all newer versions of Site Manager should be backwards compatible with older versions of router code for MANAGEMENT. Creating a config file with a newer version of SM for a rotuer with old code will result in potential issues...especially when hopping major code revs...such as from 13 to 14.

 

[Jynxx]

Also...what kind of module is it that connects to your WAN? More than likely this is where the filter is at.

 

[dtabera]

this is a se100nm type slot (or module) in a 3-stacked ASN. This ethernet is connected to Internet to a cablemodem. The show config -r -v command says:

>ethernet module 2 slot 2 connector 1
> bofl enable
> bofl-timeout 5
> hardware-filter disable
> transmit-queue-length 0
> receive-queue-length 0
> bofl-retries 5
> bofl-tmo-divisor 1
> fc-enable enabled
> fc-pause-time 65535
> pause-zero-enable enabled
> circuit-name E221_ext
> state enabled
> ip address 212.22.39.69 mask 255.255.255.0
> assocaddr 0.0.0.0
> cost 1
> broadcast 0.0.0.0
> configured-mac-address {}
> mtu-discovery disabled
> mask-reply disabled
> all-subnet-broadcast disabled
> address-resolution arp
> proxy disabled
> host-cache-aging cache-off
> udp-checksum enabled
>
> end-station-support disabled
> redirects enabled
> cache-size 128
> state enabled
> arp
> state enabled
> back
> nat
> type global
> state enabled
> back
> back
> auto-neg
> speed-select 100base-x
> advertised-capabilities none
> auto-neg-restart 0
> back
> back

module 2 (slot in ASN naming, I guess) as well:

>board slot 2 module 1
> type mce1nm
> back
> board slot 2 module 2
> type se100nm
> back
> board slot 2 module 3
> type mce1nm
> back
> board slot 2 module 4
> type spexhsd

And I cannot see from BCC where the filter is. Connecting directly with a crossover cable to the interface I could assess that something was denying telnet from some addresses and allowing from a certain ones.

More ideas? Thank you very much.

 

[dtabera]

Hi everyone:

Finally I could use Site Manager to configure the ASN. I changed the filter and now life is much more easier!

I strongly appreciate your interest in this case. Just a last question. Are these Forum Threads open 4ever? Do I have to do something now that I got how to solve my problem? I mean, apart from inviting you a couple of beers... ;-D

D.