Two common causes for that are either routing isn't correct to/from the router and the device you're using telnet from, or something like an ACL is blocking telnet along the path.
For the former, with regard to correct routing, can you ping the router from your remote telnet host? From the router, can you ping your remote telnet host?
The routing is configured properly as below
iproute 0.0.0.0 220.127.116.11
iproute 172.16.1.0 255.255.255.0 172.22.26.1
ip route192.168.0.0 255.255.255.0 172.22.26.1
ip route192.168.16.0 255.255.255.0 172.22.26.1
where we have allowed traffic from mentioned IPs to be diverted to out another router which we are using for VPN. and 18.104.22.168 is our internet gateway and this we have defined for accessing both VPN and internet on the same LAN IP.
And we have not defined any ACL. this is permit any any.
Pls let us know why we are not able to remote telnet our router. we get ping reply from this remotely and vice versa.
As Joseph suggests, if you can not telnet to the router from a remote location there generally are 2 types of problems that cause this symptom: either there is a routing problem or the telnet traffic is denied somewhere.
If you are sure that routing is ok, and especially if you can ping the router address from the remote location then we can believe that it is not a routing issue. (are you telnetting to the exact same address that you can ping?)
Some routers (especially those set up by SDM) will allow local telnet but not remote telnet. If you would post the entire router config then we would be able to see whether this is the case on your router.
Rick, I wasn't aware of the SDM issue. What does it do, configure an ACL attached to the VTY for local interface subnets only?
Yes. I have seen a number of router configs that were generated by SDM that have an access list which has permits for only the local subnet(s) and is applied as access-class in on the vty.
Thank you. (I have never used SDM to actually configure a router, although I've reviewed its for security and other template suggestions.)
This router was configured manually not through SDM.we also are unable to understand what could be the issue.
Pravin has communicated the config to me privately and I believe that I have identified the problem. Pravin is using NAT (actually PAT) on the outside interface. The NAT statement uses access-list 101 and access-list 101 has a single statement which is permit ip any any. I believe that the problem is the use of any any in the access list. This prevents remote telnet.
I suggest that you can fix this problem by changing the access list and eliminating the any any. My suggestion would be to change to a standard (rather then extended) access list and permit your network source addresses. You would need at least:
access-list 50 permit 172.22.26.0 0.0.0.255
and from the static routes I suspect that you might also need:
access-list 50 permit 172.16.1.0 0.0.0.255
access-list 50 permit 192.168.0.0 0.0.0.255
access-list 50 permit 192.168.16.0 0.0.0.255
Give this a try and let us know if it fixes the problem.
That is an excellent question. Unfortunately I do not have an equally excellent answer.
I was told about this behavior without being given an explanation. I tested and verified the behavior and find that any any did prevent remote telnet. So I suggest this solution (and believe that it will work) without being able to explain it well.