Routing problem, ping works - telnet not

Unanswered Question
Oct 12th, 2008

Dear all,

I have a PC in VLAN 242, VLAN 242(management server vlan) is only routed on firewall. The Switch/Router Management should routed in firewall too, to prevent that users can connect to the router e.g. . Router management is in VLAN 2. On the router i make policy based routing. So all traffic from the ip range /24 (VLAN2) go to Firewall.

I checked with ping and traceroute everything "goes" like i want. when i make a telnet it is not working.

I change the firewall and take a router. it is not working too.

Have anyone an idea...I don't know why this works so strange...


Router or Firewall. on switch inter-vlan routing



On switch-L3 or router which i want manage.

route-map routing_management, permit, sequence 10

Match clauses:

ip address (access-lists): tt

Set clauses:

ip next-hop

Policy routing matches: 7116 packets, 665966 bytes


Extended IP access list tt

10 permit ip any (596 matches)

PS: i could do the management server in the same subnet, but for other locations which i manage from this server i have the same problem.

And when i don't use policy-based routing, the Switch-L3/router would use this default gateway and the firewall would say "spoofing" wrong ip on this interface..

thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Giuseppe Larosa Sun, 10/12/2008 - 03:34

Hello Sebastian,

cisco routers and switches allow to use an ACL to limit from what ip addresses a telnet session can be accepted.


access-list 25 permit

! under the line vty range apply

! the standard ACL with the access-class

! command:

line vty 0 4

access-class 25 in

you don't need to play with PBR to implement a control on telnet access to network devices.

PBR doesn't behave as expected on locally generated packets (inside the device) these are by default not processed by PBR.

There is a specific command to be given in global config:

ip local policy route-map


But for this scenario the access-class command is the best solution: it is simple and works.

On FW allows full access: the control is implemented on each device as described above

Hope to help


Sebastian Helmer Sun, 10/12/2008 - 07:53

Hi Giuseppe,

thanks for the answer.

I already set the loca policy....

I see all thinks like you, the telnet access was only a example.

In the moment I#m not sure if the security concept of the colleauge before me (now security officer) is a good one.

I will think about it...

Thank you very much.



This Discussion