topic Telnet through outside PIX interface? in Network Security

Telnet through outside PIX interface?

amarula115 — Mon, 11 Mar 2019 13:59:37 GMT

I have PIX 501 separating my two internal networks.

I am located on network A (10.80.48.0)on outside PIX interface. Server which I need to access is on network B (172.31.1.0)inside PIX interface.

Here is part of PIX config:

ip address outside 10.80.48.50 255.255.252.0

ip address inside 172.31.1.1 255.255.255.0

name 172.31.1.2 SERVER

static (inside,outside) tcp interface ftp SERVER ftp netmask 255.255.255.255

access-list FromOutside permit ip any any

This allows me to ftp from network A to SERVER on network B.

How can I allow telnet (23) to SERVER from network A?

When I replace static to:

static (inside,outside) tcp interface telnet SERVER telnet netmask 255.255.255.255

then telnet is working but ftp is not.

How to make both ftp and telnet to work?

Here is log entries while I am trying to telnet from network A to SERVER (10.80.48.50) on network B:

Rec'd packet not an IPSEC packet. (ip) dest_addr= 10.80.48.50, src_addr= 10.80.48.47, prot= tcp

I would appreciate help

Re: Telnet through outside PIX interface?

ray_stone — Mon, 20 Oct 2008 05:10:17 GMT

Hi,

The reason is that either you have mapped only FTP access or telnet access in the static entry.

Delete static nat nd use the following commands

static (inside,outside) interface SERVER netmask 255.255.255.255

hope, it helps

Re: Telnet through outside PIX interface?

Farrukh Haroon — Mon, 20 Oct 2008 06:07:48 GMT

Why are you 'replacing' the static?

Just enter both at once:

static (inside,outside) tcp interface ftp SERVER ftp netmask 255.255.255.255

static (inside,outside) tcp interface telnet SERVER telnet netmask 255.255.255.255

Regards

Farrukh

Re: Telnet through outside PIX interface?

amarula115 — Mon, 20 Oct 2008 10:56:14 GMT

I tried and PIX doesn't accept two static to the same interface, one for ftp and one for telnet.

You can have only one or other

Re: Telnet through outside PIX interface?

ray_stone — Mon, 20 Oct 2008 11:06:42 GMT

Try to put only one command what I posted earlier then check its responding or not.

Re: Telnet through outside PIX interface?

amarula115 — Mon, 20 Oct 2008 11:15:31 GMT

Yes, it helped when I entered

static (inside,outside) interface SERVER netmask 255.255.255.255

but right now I cannot ssh to the outside interface of the PIX. Outside interface is(10.80.48.50)

before:

ssh to 10.80.48.50 - OK

ftp to 10.80.48.50 - OK

telnet to 10.80.48.50 - NOT OK

now:

ftp to 10.80.48.50 - OK

telnet to 10.80.48.50 - OK

ssh to 10.80.48.50 - NOT OK

I will have to remove command I entered beause I need from time to time make changes on this PIX and I cannot access it anymore. Since it is located in remote location I need to have ssh access to it. I will ask someone from this location to reload the PIX so I will have an access to it again but then telnet will not work anymore.

Any suggestion?

Re: Telnet through outside PIX interface?

amarula115 — Mon, 20 Oct 2008 11:23:56 GMT

I did the following:

no static (inside,outside) tcp interface ftp SERVER ftp netmask 255.255.255.255

static (inside,outside) interface SERVER netmask 255.255.255.255

now ftp and telnet are working but I lost ssh access to the PIX as described in previous post

Re: Telnet through outside PIX interface?

Farrukh Haroon — Mon, 20 Oct 2008 11:51:15 GMT

Are you running 6.x code?

I know that this works on 7.x for sure...

The ASA will give you a 'warning' but it *will be* there when you do a 'show run static'.

Regards

Frrukh

Re: Telnet through outside PIX interface?

amarula115 — Mon, 20 Oct 2008 12:08:32 GMT

Yes, I run 6.3(4)

static (inside,outside) interface SERVER netmask 255.255.255.255 allowing telnet what I needed but cutting my access to PIX through ssh.

Any other way to allow telnet and ftp but still be able to ssh to PIX?

Can I somehow manually map ftp and telnet?

Re: Telnet through outside PIX interface?

ray_stone — Mon, 20 Oct 2008 13:21:10 GMT

Hi, As i think, it must be connect via SSH. I would advice you while you try to connect PIX through SSH and then check the logs nd see why it's blocking the SSH connection.

Please post your logs.

Hope it will help