https://community.cisco.com/t5/network-security/telnet-through-pix/m-p/1134512#M896100 <HTML><HEAD></HEAD><BODY><P></P><P>The Adaptive Security Algorithm, used by the security appliance for stateful application inspection,</P><P>ensures the secure use of applications and services. Some applications require special handling by the</P><P>security appliance and specific application inspection engines are provided for this purpose.</P><P>Applications that require special application inspection engines are those that embed IP addressing</P><P>information in the user data packet or open secondary channels on dynamically assigned ports.</P><P></P><P>Telnet does not require special handling, so it is not added in global policy.</P><P></P><P>HTH...rate if helpful..</P></BODY></HTML> Mon, 22 Sep 2008 11:26:33 GMT satish_zanjurne 2008-09-22T11:26:33Z https://community.cisco.com/t5/network-security/telnet-through-pix/m-p/1134511#M896098 <P>Hi</P><P>Why can I telnet through the PIX when there is no reference to telnet in the class inspection default list or in the default inspection traffic list? </P><P></P><P>I see there is a reference to ICMP so that explains why transit pings do not work, but I can^t get my head round the workings of telnet.</P><P></P><P>Here is the Class inspection deafault</P><P></P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect dns preset_dns_map </P><P> inspect ftp </P><P> inspect h323 h225 </P><P> inspect h323 ras </P><P> inspect netbios </P><P> inspect rsh </P><P> inspect rtsp </P><P> inspect skinny </P><P> inspect esmtp </P><P> inspect sqlnet </P><P> inspect sunrpc </P><P> inspect tftp </P><P> inspect sip </P><P> inspect xdmcp </P><P></P><P>and here is the default inspection traffic</P><P>mpf-class-map mode commands/options:</P><P> access-list Match an Access List</P><P> any Match any packet</P><P> default-inspection-traffic Match default inspection traffic: </P><P> ctiqbe----tcp--2748 dns-------udp--53 </P><P> ftp-------tcp--21 gtp-------udp--2123,3386</P><P> h323-h225-tcp--1720 h323-ras--udp--1718-1719</P><P> http------tcp--80 icmp------icmp </P><P> ils-------tcp--389 mgcp------udp--2427,2727</P><P> netbios---udp--137-138 radius-acct---udp--1646</P><P> rpc-------udp--111 rsh-------tcp--514 </P><P> rtsp------tcp--554 sip-------tcp--5060 </P><P> sip-------udp--5060 skinny----tcp--2000 </P><P> smtp------tcp--25 sqlnet----tcp--1521 </P><P> tftp------udp--69 xdmcp-----udp--177 </P><P> dscp Match IP DSCP (DiffServ CodePoints)</P><P> flow Flow based Policy</P><P> port Match TCP/UDP port(s)</P><P> precedence Match IP precedence</P><P> rtp Match RTP port numbers</P><P> tunnel-group Match a Tunnel Group</P> Mon, 11 Mar 2019 13:47:35 GMT https://community.cisco.com/t5/network-security/telnet-through-pix/m-p/1134511#M896098 walter1972 2019-03-11T13:47:35Z https://community.cisco.com/t5/network-security/telnet-through-pix/m-p/1134512#M896100 <HTML><HEAD></HEAD><BODY><P></P><P>The Adaptive Security Algorithm, used by the security appliance for stateful application inspection,</P><P>ensures the secure use of applications and services. Some applications require special handling by the</P><P>security appliance and specific application inspection engines are provided for this purpose.</P><P>Applications that require special application inspection engines are those that embed IP addressing</P><P>information in the user data packet or open secondary channels on dynamically assigned ports.</P><P></P><P>Telnet does not require special handling, so it is not added in global policy.</P><P></P><P>HTH...rate if helpful..</P></BODY></HTML> Mon, 22 Sep 2008 11:26:33 GMT https://community.cisco.com/t5/network-security/telnet-through-pix/m-p/1134512#M896100 satish_zanjurne 2008-09-22T11:26:33Z https://community.cisco.com/t5/network-security/telnet-through-pix/m-p/1134513#M896102 <HTML><HEAD></HEAD><BODY><P>So would I be right in saying that in addition to this, stateful inspection is geared up more for connection oriented traffic ie TCP (telnet here) and that all TCP traffic is inspected. I still don't see why other TCP ports are included in the default inspection traffic in my origional post and yet port 23 is not. How does the class inspection default relate to this default inspection traffic list? </P><P>Thanks for the interest. </P></BODY></HTML> Mon, 22 Sep 2008 18:36:49 GMT https://community.cisco.com/t5/network-security/telnet-through-pix/m-p/1134513#M896102 walter1972 2008-09-22T18:36:49Z https://community.cisco.com/t5/network-security/telnet-through-pix/m-p/1134514#M896106 <HTML><HEAD></HEAD><BODY><P>Some of the application requires special handling which includes for an example an application requiring something like opening an dynamic port when an connection is established which require special handling so it is considered as part of application inspection,which inspects packets traveling through firewall.</P><P></P><P>Rate it helps!</P><P></P><P>Regards,</P><P>Archana.</P></BODY></HTML> Tue, 23 Sep 2008 05:07:40 GMT https://community.cisco.com/t5/network-security/telnet-through-pix/m-p/1134514#M896106 marchanamendon 2008-09-23T05:07:40Z