Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
817
Views
5
Helpful
2
Replies

Routing problem, ping works - telnet not

Sebastian Helmer
Level 5
Level 5

‎10-12-2008 03:06 AM - edited ‎03-06-2019 01:53 AM

Dear all,

I have a PC in VLAN 242, VLAN 242(management server vlan) is only routed on firewall. The Switch/Router Management should routed in firewall too, to prevent that users can connect to the router e.g. . Router management is in VLAN 2. On the router i make policy based routing. So all traffic from the ip range 10.1.2.0 /24 (VLAN2) go to Firewall.

I checked with ping and traceroute everything "goes" like i want. when i make a telnet it is not working.

I change the firewall and take a router. it is not working too.

Have anyone an idea...I don't know why this works so strange...

konfig:

Router or Firewall. on switch inter-vlan routing

DF 10.1.242.20

DF 10.1.2.20

On switch-L3 or router which i want manage.

route-map routing_management, permit, sequence 10

Match clauses:

ip address (access-lists): tt

Set clauses:

ip next-hop 10.1.2.20

Policy routing matches: 7116 packets, 665966 bytes

SW-10#

Extended IP access list tt

10 permit ip 10.1.2.0 0.0.0.255 any (596 matches)

PS: i could do the management server in the same subnet, but for other locations which i manage from this server i have the same problem.

And when i don't use policy-based routing, the Switch-L3/router would use this default gateway and the firewall would say "spoofing" wrong ip on this interface..

thanks in advance

Labels:
0 Helpful
2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎10-12-2008 03:34 AM

Hello Sebastian,

cisco routers and switches allow to use an ACL to limit from what ip addresses a telnet session can be accepted.

example:

access-list 25 permit 10.1.2.0 0.0.0.255

! under the line vty range apply

! the standard ACL with the access-class

! command:

line vty 0 4

access-class 25 in

you don't need to play with PBR to implement a control on telnet access to network devices.

PBR doesn't behave as expected on locally generated packets (inside the device) these are by default not processed by PBR.

There is a specific command to be given in global config:

ip local policy route-map

see

http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_pi1.html#wp1012417

But for this scenario the access-class command is the best solution: it is simple and works.

On FW allows full access: the control is implemented on each device as described above

Hope to help

Giuseppe

Sebastian Helmer
Level 5
Level 5
In response to Giuseppe Larosa

‎10-12-2008 07:53 AM

Hi Giuseppe,

thanks for the answer.

I already set the loca policy....

I see all thinks like you, the telnet access was only a example.

In the moment I#m not sure if the security concept of the colleauge before me (now security officer) is a good one.

I will think about it...

Thank you very much.

Sebastian

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card