topic Re: Enable Telnet on PIX outside Interface in Network Security

Enable Telnet on PIX outside Interface

pankajp_cmc — Fri, 21 Feb 2020 07:40:20 GMT

Hi all,

Anyone having idea how to enable Telnet on the Outside Interface.

Tried using the telnet command, but doesnt works.

I need to use SSH client for connecting the same.

I have heard that atleast one crypto commands is needed to enable the telnet connection.

Is it true.??

Plz suggest on the same.

Bye,

Pankaj P.

Re: Enable Telnet on PIX outside Interface

Patrick Iseli — Fri, 08 Oct 2004 18:28:28 GMT

It is generaly not a good idea to use telnet, which uses cleartext passwords, on an untrusted network.

Because of the password and Sniffer attacks !!!

SSH is the better way to do this.

Command:

telnet YourIP 255.255.255.255 outside

ssh YourIP 255.255.255.255 outside

If you have a access-list on the outside interface you

need to enable access for telnet and ssh in it.

access-list acl_out permit tcp host SSHClient interface eq 22

access-list acl_out permit tcp host SSHClient interface eq 23

See this document:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_book09186a0080172852.html

sincerely

Patrick

Re: Enable Telnet on PIX outside Interface

scoclayton — Fri, 08 Oct 2004 19:02:37 GMT

part of Patrick's post is right, part is not.

First off, telnet to the outside interface is restricted unless you are coming into the PIX via an IPSec tunnel. SSH and PDM (or HTTPS) is the only allowed method to the outside interface of the PIX if not coming across an IPSec tunnel.

Secondly, you do *not* need to permit traffic destined *to* the PIX via an ACL. ACL's only effect traffic going *through* the PIX. So, no matter what method you choose, the above ACL entries are not needed.

And finally, back to the original post, if you are going to connect via SSH, you do need to generate an RSA key on your PIX and save the key. Then use some SSH software (I use PuTTY for it's ease of use) to conenct to the PIX. For more info on generating the key:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/c.htm#wp1025473

If this is not what you were looking for, let us know.

Scott

Re: Enable Telnet on PIX outside Interface

jimwelsh — Fri, 08 Oct 2004 19:26:39 GMT

Patrick --

Your solution doesn't work. Reading the doc you pointed us to:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172797.html#wp1064460

Describes ways to use a VPN to telnet over. Also, the PIX Command Reference for the telnet command states:

"If you need to access the PIX Firewall console from outside the PIX Firewall, you can use a static and access-list command pair to permit a Telnet session to a Telnet server on the inside interface, and then from the server to the PIX Firewall. In addition, you can attach the console port to a modem but this may add a security problem of its own. You can use the same terminal settings as for HyperTerminal, which is described in the Cisco PIX Firewall and VPN Configuration Guide.

"If you have IPSec configured, you can access the PIX Firewall console with Telnet from outside the PIX Firewall. Once an IPSec tunnel is created from an outside host to the PIX Firewall, you can access the console from the outside host."

Telnet directly to the outside interface doesn't work.

Re: Enable Telnet on PIX outside Interface

pankajp_cmc — Sat, 09 Oct 2004 02:13:05 GMT

Hi Patrick,

It means that telnet on Outside Interface is not possible in this scenario.

I need to create a VPN tunnel which terminates on my PIX.

Anyway thanks for the suggestion.

Bye,

Pankaj P.

Re: Enable Telnet on PIX outside Interface

Patrick Iseli — Sat, 09 Oct 2004 13:04:31 GMT

It is ok guys I got the message.

Hmm I never used telnet but I am surprised that this is not possible, which is a good thing, on the outside interface.

Thanks for the feeback

Patrick