Can ping the switch but not telnet to it.

Unanswered Question
Nov 19th, 2008
User Badges:


I have a ASA firewall and trunked off the firewall I have a 3750 which I can ping, telnet and SSH to. From the 3750 I have another trunk into a 3560 which I can also ping to but not SSH or telnet to.

I have opened the firewall from my PC to the 3560 so nothing is blocking it (I hope) as the packet tracer on the ASA confirms this. I know telnet works because I can telnet to the switch from the vlan that the switches IP is in.

So I can ping it so I guess it is not a routing issue, how can I tell my telnet request is even getting to the switch, can the switch display attempts?

Just can't work out what it is.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Mo'ath Al Rawashdeh Wed, 11/19/2008 - 13:50
User Badges:
  • Bronze, 100 points or more


A brief diagram can be better than many words as i didnt get you :)

John Blakley Wed, 11/19/2008 - 14:11
User Badges:
  • Purple, 4500 points or more

Create an acl like this:

ip access-list ext TELNET

permit tcp any any eq 23 log

permit ip any any

apply it to the interface that you're telnetting into.

If it's a vlan SVI:

int vlan

ip access-group TELNET in

If it's a routed port:

int G0/1:

ip access-group TELNET in

Then try to telnet to see if you are getting hits. If you are telnetted into the switch from a box that can get to it, you can do:

Switch# term mon

and it should show you hits on the acl as they happen. You can then go to the system that can't telnet and try while your other system is up and watch as it happens.


glen.grant Wed, 11/19/2008 - 15:31
User Badges:
  • Purple, 4500 points or more

Sounds like the 3560 is missing the default gateway or default static route if routing is still turned on .

wilson_1234_2 Wed, 11/19/2008 - 17:00
User Badges:

You could use the ASA ASDM gui to monitor the traffic and filter to the switch IP Address.

Set the filter to "informational" and try to telnet from your workstation to the switch.

If the firewall is blocking the traffic, it will show up in the monitor session (it will also show up if it is not).

You could also do this with a packet capture on the ASA, but the gui is quicker and easier.


This Discussion