Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1171
Views
0
Helpful
4
Replies

ASA5520 - Do we need to allow telnet itself?

Go to solution
stromel.cisco
Level 1
Level 1

‎10-15-2010 05:29 PM - edited ‎03-11-2019 11:55 AM

Topology: both subnets 1.1.1.0/24 and 2.2.2.0/24 are somehow connected to asa5520, but to different interfaces. Say 1.1.1.0 is inside network, and 2.2.2.0 is outside network.

When we want to allow outbound traffice from 1.1.1.1 to 2.2.2.2 through port 25, we normally do:

access-list inside-in extended permit tcp host 1.1.1.1 host 2.2.2.2 eq 25

access-group inside-in in interface inside

and then we can try to test by telnet from 1.1.1.1 to 2.2.2.2, to see if the port is successfully opened:

telnet 2.2.2.2 25

My question is that before we start telnet testing, do we need to allow telnet port tcp 23 first?

access-list inside-in extended permit tcp host 1.1.1.1 host 2.2.2.2 eq 23

Or telnet is allowed by default?

Thanks

Stro

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jan.nielsen
Level 7
Level 7
In response to stromel.cisco

‎10-16-2010 02:42 AM

I was trying to make a point that "telnet" is only port 23, you just use the telnet application for your test on port 25, which is smtp.

1. Telnet on port 23 will NOT get through on that acl, you only allowed port 25, everything else will be caught by the deny any any that is always at the bottom of an acl.

2.This does the exact same thing, exept you are specifically denying port 23, everything else will still be denied.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
jan.nielsen
Level 7
Level 7

‎10-15-2010 05:33 PM

No, they are two different services, and no, tcp port 23 is not default allowed if you have an acl that does not permit it on the inside interface.

0 Helpful

Go to solution
stromel.cisco
Level 1
Level 1
In response to jan.nielsen

‎10-15-2010 06:05 PM

Hi Jan,

Thanks for your quick response.

It will be helpful if you could explain in a bit more details. How are the two services different? Both smtp port 25 and telnet port 23 are tcp ports, at transport layer.

So,

1. if I only have the following two lines, telnet will still get thru. yes? Won't the implicit "deny any any" stops the telnet?

access-list inside-in extended permit tcp host 1.1.1.1 host 2.2.2.2 eq 25

access-group inside-in in interface inside

2. Only if I add a deny telnet acl (see below), then I won't be able to telnet from 1.1.1.1 to 2.2.2.2 any more. Am I right?

access-list inside-in extended permit tcp host 1.1.1.1 host 2.2.2.2 eq 25

access-list inside-in extended deny tcp host 1.1.1.1 host 2.2.2.2 eq 23

access-group inside-in in interface inside

Appreciste your time.

Stro

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to stromel.cisco

‎10-16-2010 02:42 AM

I was trying to make a point that "telnet" is only port 23, you just use the telnet application for your test on port 25, which is smtp.

1. Telnet on port 23 will NOT get through on that acl, you only allowed port 25, everything else will be caught by the deny any any that is always at the bottom of an acl.

2.This does the exact same thing, exept you are specifically denying port 23, everything else will still be denied.

0 Helpful

Go to solution
stromel.cisco
Level 1
Level 1
In response to jan.nielsen

‎10-16-2010 03:27 AM

Thanks Jan. Your explanation is to the point. I get it now. Stro.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card