Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Trying to enable TELNET traffic thru VPN router and PIX?


I had just setup a peer-to-peer VPN with our vendor. What I'm trying to accomplish is for them to establish a telnet session from their end to our internal host system. We do establish the vpn tunnel, but telnet to our internal system is refused.

On my VPN router, I am only using one ethernet interface configured into 2 sub-interfaces, this is plugged into a catalyst switch. The outside interface of our Internal PIX firewall is also plugged into the same switch as the VPN router. Our internal host system resides on the inside interface of the PIX firewall. (My VPN router is also behind an external firewall, but this is irrelevant since tunnel has already been established).

Imitation IPs used:

Vendor is trying to telnet from their source to destination

On my vpn router NAT'd to interface range on Internal PIX)

Within PIX firewall NAt'd to internal host IP

Here is my sample configuration:


1711 Router


interface FastEthernet0

no ip address

speed 100



interface FastEthernet0.1

encapsulation dot1Q 2

ip address

ip access-group outside in

ip nat outside


interface FastEthernet0.2

encapsulation dot1Q 1 native

ip address

ip access-group inside in

ip nat inside

ip nat inside source static

ip access-list extended inside

permit ip any any

ip access-list extended outside

permit ip any any


I receive hits on the routers ACLs


PIX Firewall


access-list acl_outside permit tcp host gt 1023 host eq telnet

static (inside,outside) netmask 0 0

route outside


I do not receive any hits on the PIX acl.

The Catalyst switch has a default vlan of 1 for all ports. I created a 2 to accomodate the VPN router vlan tags, then on the port where the VPN router is plugged into, I entered 'switchport mode trunk'. Not sure if this will work or not.

I also added a host route on our internal host system to vendor's source IP

Any help would very much be appreciated!

Thank you,



Re: Trying to enable TELNET traffic thru VPN router and PIX?

you mentioned "I receive hits on the routers ACLs" and "I do not receive any hits on the PIX acl". the issue maybe related to the pix inbound acl source ip. the current acl has as a source ip, and it seems to be a public ip. most of the time the traffic will be traversed with the private/original ip for vpn.

to verify, configure capture command on the pix:

access-list telnet permit tcp any any eq 23

capture telnet access-list telnet interface outside

"show capture telnet" to view the output.

Community Member

Re: Trying to enable TELNET traffic thru VPN router and PIX?

I probably shouldn't of used a public IP as my example, i wasn't thinking. Their actually using a private IP range(src. and dest.), but thank you very much for your input, I will use this as part of my troubleshooting.



CreatePlease to create content