cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3758
Views
0
Helpful
4
Replies

Detect telnet on non standard ports

Brad_Shawh
Level 1
Level 1

If my ASA is configured to allow port 443 (over http), can ASA allow web 443 and block telnet 443?

 

e.g.: Allow https://x.x.x.x

 

block: telnet x.x.x.x 443

 

Question2: Will blocking telnet on non standard ports give any benefit?

1 Accepted Solution

Accepted Solutions

balaji.bandi
Hall of Fame
Hall of Fame

Telnet uses port 23, if you blocking telnet, it only blocks 23 port

 

if you allowed 443, anybody can do telnet XXXX 443 for testing to see if the HTTP(443) port-open for diagnosis purpose.

 

but in the latest version, NGFW have featuring application-aware FW which can detect standard ports ( example one can not change the ports to customize like HTTP port to SMTP port so on)

 

But telnet xxxx 443 commonly used for diagnosis purposes. ( but your FW can block if this is more of DoS attack based on the attempts initiating connection to WebServer.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

Telnet uses port 23, if you blocking telnet, it only blocks 23 port

 

if you allowed 443, anybody can do telnet XXXX 443 for testing to see if the HTTP(443) port-open for diagnosis purpose.

 

but in the latest version, NGFW have featuring application-aware FW which can detect standard ports ( example one can not change the ports to customize like HTTP port to SMTP port so on)

 

But telnet xxxx 443 commonly used for diagnosis purposes. ( but your FW can block if this is more of DoS attack based on the attempts initiating connection to WebServer.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

If my ASA is configured to allow port 443 (over http), can ASA allow web 443 and block telnet 443?

 -On ASA you have to specifically mentioned as LOCAL/Radius command allowing following protocols e.g https/ssh/telnet.

aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telent console LOCAL

now if you want to access telnet on an specific interface than you have to mentioned in your asa configuration to let subnet either on http/telent/ssh.once these processor are active than you can connect with any of the following protocols which you mentioned in your configuraton.

ssh 192.168.x.x 255.255.x.x DMZ
https 192.168.x.x 255.255.x.x DMZ
telent 192.168.x.x 255.255.x.x DMZ

Question2: Will blocking telnet on non standard ports give any benefit?

 - Telent is not a secure protocol as all the data is in a plain text. if there is a sniffer software running around your network that sniffer can intercept and see all the command and data you push to your asa. Alaways try to aviod Telnet. for lab purpose yes that fine but for the production no way.

please do not forget to rate.

rschlayer
Level 4
Level 4

Depending on the ASA model and version you can use the firepower module to inspect the traffic and make sure that connections using tcp port 443 are truly https and not something else, therefore blocking any traffic which is not https on port 443.

 

This is also possible with the newer Firepower Systems running FTD software.

Brad_Shawh
Level 1
Level 1

Thank you very much, everyone! 

Review Cisco Networking for a $25 gift card