topic Re: need to telnet to outside int of ASA and PIX in Network Security

need to telnet to outside int of ASA and PIX

matthewmphc — Mon, 11 Mar 2019 12:10:45 GMT

I have a site to site connection setup between an ASA 5510 and a PIX 501. I have the ASA's inside 10.1.1.x network being able to access the PIX's 10.2.2.x network. That is working fine. However, I need to be able to access both the ASA and PIX's outside interfaces with telnet. I know the ASA requires a vpn, not sure about the PIX. how do I set up the vpn config to telnet to the outside address? Obviously the outside address is not part of the existing vpn config allowing the inside networks to talk, so I'm unsure of how to do that. Say my outside address on the ASA was 2.2.2.2 and the PIX was 4.4.4.4. How would I set that piece up?

Re: need to telnet to outside int of ASA and PIX

cdusio — Fri, 29 Feb 2008 17:08:51 GMT

on both you need to define a source IP that wil be cocming in to manage the device. I don't necessarily recommend telnet you should really use ssh. that being said,

on the PIX telnet (example) 0.0.0.0 0.0.0.0 outside this allows all devices to telnet into outside interface.

On the asa same thing telnet 0.0.0.0 0.0.0.0 outside

definitely want to narrow it down though.

if your SIP was 1.2.3.4 for example

telnet 1.2.3.4 255.255.255.255 outside

Re: need to telnet to outside int of ASA and PIX

matthewmphc — Fri, 29 Feb 2008 18:57:40 GMT

doesn't the telnet session on the ASA need to be via vpn? wouldn't there be additional commands I would need?

Re: need to telnet to outside int of ASA and PIX

acomiskey — Fri, 29 Feb 2008 19:03:59 GMT

You cannot telnet to outside interface of pix or asa. If you want to do it through a vpn you need to add "management-access inside" and telnet to the inside interface.

Re: need to telnet to outside int of ASA and PIX

srue — Fri, 29 Feb 2008 20:15:13 GMT

you can telnet to the outside of a pix/asa as long as it's over a vpn, and management-access outside is configured.

Re: need to telnet to outside int of ASA and PIX

cdusio — Fri, 29 Feb 2008 20:44:56 GMT

Actually you can.

The telnet command lets you specify which hosts can access the security appliance console with Telnet. You can enable Telnet to the security appliance on all interfaces. But, the security appliance enforces that all Telnet traffic to the outside interface be protected by IPsec. In order to enable a Telnet session to the outside interface, configure IPsec on the outside interface to include IP traffic that is generated by the security appliance and enable Telnet on the outside interface.

However you are correct that to telnet through the vpn you need to do what you are describing. I was under the impression that the telnet was outside of the vpn.

Still should use SSH though.

Re: need to telnet to outside int of ASA and PIX

onlyabhishek007 — Fri, 07 Mar 2008 08:22:01 GMT

do due to the security region u can't able to access the firewall outside interface by using the telnet. U can use the ssh for the outside access.