Dear Sir,

The routing is configured properly as below

iproute 0.0.0.0 124.124.42.105

iproute 172.16.1.0 255.255.255.0 172.22.26.1

ip route192.168.0.0 255.255.255.0 172.22.26.1

ip route192.168.16.0 255.255.255.0 172.22.26.1

where we have allowed traffic from mentioned IPs to be diverted to out another router which we are using for VPN. and 124.124.42.105 is our internet gateway and this we have defined for accessing both VPN and internet on the same LAN IP.

And we have not defined any ACL. this is permit any any.

Pls let us know why we are not able to remote telnet our router. we get ping reply from this remotely and vice versa.

Regards

PRavin Mehra

have configured

Pravin

As Joseph suggests, if you can not telnet to the router from a remote location there generally are 2 types of problems that cause this symptom: either there is a routing problem or the telnet traffic is denied somewhere.

If you are sure that routing is ok, and especially if you can ping the router address from the remote location then we can believe that it is not a routing issue. (are you telnetting to the exact same address that you can ping?)

Some routers (especially those set up by SDM) will allow local telnet but not remote telnet. If you would post the entire router config then we would be able to see whether this is the case on your router.

HTH

Rick

Rick, I wasn't aware of the SDM issue. What does it do, configure an ACL attached to the VTY for local interface subnets only?

Joseph

Yes. I have seen a number of router configs that were generated by SDM that have an access list which has permits for only the local subnet(s) and is applied as access-class in on the vty.

HTH

Rick

Rick,

Thank you. (I have never used SDM to actually configure a router, although I've reviewed its for security and other template suggestions.)

DEar Sir,

This router was configured manually not through SDM.we also are unable to understand what could be the issue.

Regards

Pravin Mehra

can we have your e-mail id so that we could send you the entire screen shots of router configuration.

Regards

Pravin Mehra

Pravin has communicated the config to me privately and I believe that I have identified the problem. Pravin is using NAT (actually PAT) on the outside interface. The NAT statement uses access-list 101 and access-list 101 has a single statement which is permit ip any any. I believe that the problem is the use of any any in the access list. This prevents remote telnet.

Pravin

I suggest that you can fix this problem by changing the access list and eliminating the any any. My suggestion would be to change to a standard (rather then extended) access list and permit your network source addresses. You would need at least:

access-list 50 permit 172.22.26.0 0.0.0.255

and from the static routes I suspect that you might also need:

access-list 50 permit 172.16.1.0 0.0.0.255

access-list 50 permit 192.168.0.0 0.0.0.255

access-list 50 permit 192.168.16.0 0.0.0.255

Give this a try and let us know if it fixes the problem.

HTH

Rick

Hi, Rick:

How would the 'any any' prevent remote telnet?

Thanks

Victor

Victor

That is an excellent question. Unfortunately I do not have an equally excellent answer.

I was told about this behavior without being given an explanation. I tested and verified the behavior and find that any any did prevent remote telnet. So I suggest this solution (and believe that it will work) without being able to explain it well.

HTH

Rick

Fair enough. :-)

Thanks

Victor