Yes its a Public IP. and Packet should come from LL not from ADSL (That what I think).

I captured , but telnet is not reaching till ASA.

If you do the capture on ASA like following,

access-list cap permit tcp any host aa.aa.aa.2 eq telnet

access-list cap permit tcp host aa.aa.aa.2 eq telnet any

capture cap access-list cap interface outside

- telent to ASA outside interface from somewhere else.

- then on ASA, show capture cap

Do you see the packet in and out?

This is the Packet Capture

5 packets captured

1: 22:51:11.754981 217.164.167.147.61152 > aa.aa.aa.2.23: S 2487757828:24

87757828(0) win 65535

K>

2: 22:51:14.838671 217.164.167.147.61152 > aa.aa.aa.2.23: S 2487757828:24

87757828(0) win 65535

K>

3: 22:51:20.878464 217.164.167.147.61152 > aa.aa.aa.2.23: S 2487757828:24

87757828(0) win 65535

K>

4: 22:51:32.997156 217.164.167.147.61152 > aa.aa.aa.2.23: S 2487757828:24

87757828(0) win 65535

K>

5: 22:51:57.058270 217.164.167.147.61152 > aa.aa.aa.2.23: S 2487757828:24

87757828(0) win 65535

K>

5 packets shown

Did you capture the packet by using the ACL in my previous post? If yes, you should be able to capture the packet in both directions. From output, it looks like ASA did not response to telnet request. Can you enable logging buffered and then try telnet again and check "show logging" to see if there is log info for this.

Yes I capture the packet as you told me and this is the output for show logging

%ASA-4-402117: IPSEC: Received a non-IPSec packet (protocol= TCP) from 217.164.167.147 to aa.aa.aa.2.

%ASA-7-710005: TCP request discarded from 217.164.167.147/61771 to outside:aa.aa.aa.2/23

%ASA-4-402117: IPSEC: Received a non-IPSec packet (protocol= TCP) from 217.164.167.147 to aa.aa.aa.2.

%ASA-7-710005: TCP request discarded from 217.164.167.147/61823 to outside:aa.aa.aa.2/23

%ASA-4-402117: IPSEC: Received a non-IPSec packet (protocol= TCP) from 217.164.167.147 to aa.aa.aa.2.

%ASA-7-710005: TCP request discarded from 217.164.167.147/61823 to outside:aa.aa.aa.2/23

Ok, you can not telnet to an outside interface directly. It must go through VPN tunnel. but you should be able to SSH to outside interface directly.

It is specified in "telnet: command reference.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/t_72.html#wp1379682

Ok, but why it should go through VPN Tunnel.

Secondly , I am unable to get VPN up even

1. That's by design. Telnet to outside is not safe since the packet is in plain text.

2. Looks like you missed "crypto isakmp enable outside".

Thanks ... you are right .... I enable it and getting this error

(config)# Aug 25 23:47:42 [IKEv1]: Group = AdminGrp, IP = 217.164.167.147, Removing peer from peer table failed, no match!

Aug 25 23:47:42 [IKEv1]: Group = AdminGrp, IP = 217.164.167.147, Error: Unable to remove PeerTblEntry

Aug 25 23:47:47 [IKEv1]: Group = AdminGrp, IP = 217.164.167.147, Removing peer from peer table failed, no match!

Aug 25 23:47:47 [IKEv1]: Group = AdminGrp, IP = 217.164.167.147, Error: Unable to remove PeerTblEntry

Aug 25 23:47:52 [IKEv1]: Group = AdminGrp, IP = 217.164.167.147, Removing peer from peer table failed, no match!

Aug 25 23:47:52 [IKEv1]: Group = AdminGrp, IP = 217.164.167.147, Error: Unable to remove PeerTblEntry

Aug 25 23:47:57 [IKEv1]: Group = AdminGrp, IP = 217.164.167.147, Removing peer from peer table failed, no match!

Aug 25 23:47:57 [IKEv1]: Group = AdminGrp, IP = 217.164.167.147, Error: Unable to remove PeerTblEntry

By the way tell me one thing I have a nat device above the ASA , why i dont need to bypass the port 4500 on it

Thanks

I change the group 5 to 2 and it start working.

Great! I am glad you found the mistaken in config. Good job.