Solved: Re: Detect telnet on non standard ports

Brad_Shawh · ‎02-16-2021

If my ASA is configured to allow port 443 (over http), can ASA allow web 443 and block telnet 443?

block: telnet x.x.x.x 443

Question2: Will blocking telnet on non standard ports give any benefit?

balaji.bandi · ‎02-16-2021

Telnet uses port 23, if you blocking telnet, it only blocks 23 port

if you allowed 443, anybody can do telnet XXXX 443 for testing to see if the HTTP(443) port-open for diagnosis purpose.

but in the latest version, NGFW have featuring application-aware FW which can detect standard ports ( example one can not change the ports to customize like HTTP port to SMTP port so on)

But telnet xxxx 443 commonly used for diagnosis purposes. ( but your FW can block if this is more of DoS attack based on the attempts initiating connection to WebServer.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎02-16-2021

Telnet uses port 23, if you blocking telnet, it only blocks 23 port

if you allowed 443, anybody can do telnet XXXX 443 for testing to see if the HTTP(443) port-open for diagnosis purpose.

but in the latest version, NGFW have featuring application-aware FW which can detect standard ports ( example one can not change the ports to customize like HTTP port to SMTP port so on)

But telnet xxxx 443 commonly used for diagnosis purposes. ( but your FW can block if this is more of DoS attack based on the attempts initiating connection to WebServer.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Sheraz.Salim · ‎02-16-2021

If my ASA is configured to allow port 443 (over http), can ASA allow web 443 and block telnet 443?

-On ASA you have to specifically mentioned as LOCAL/Radius command allowing following protocols e.g https/ssh/telnet.

aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telent console LOCAL

now if you want to access telnet on an specific interface than you have to mentioned in your asa configuration to let subnet either on http/telent/ssh.once these processor are active than you can connect with any of the following protocols which you mentioned in your configuraton.

ssh 192.168.x.x 255.255.x.x DMZ
https 192.168.x.x 255.255.x.x DMZ
telent 192.168.x.x 255.255.x.x DMZ

Question2: Will blocking telnet on non standard ports give any benefit?

- Telent is not a secure protocol as all the data is in a plain text. if there is a sniffer software running around your network that sniffer can intercept and see all the command and data you push to your asa. Alaways try to aviod Telnet. for lab purpose yes that fine but for the production no way.

please do not forget to rate.

rschlayer · ‎02-17-2021

Depending on the ASA model and version you can use the firepower module to inspect the traffic and make sure that connections using tcp port 443 are truly https and not something else, therefore blocking any traffic which is not https on port 443.

This is also possible with the newer Firepower Systems running FTD software.

Brad_Shawh · ‎03-01-2021

Thank you very much, everyone!