Telnet to Internal Device with single Global Address

depadua_chris · ‎08-13-2007

I'm managing a field office that connects to the internet through an ASA5505. This office has only a single external address (static), but I have a device on the inside of that network that needs to be accessed by a vendor via telnet.

Could anyone suggest a good way to accomplish this?

Thanks,

Chris

srue · ‎08-13-2007

port redirection.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

depadua_chris · ‎08-15-2007

Thank you very much for your response.

Would you happen to have a link that would help me redirect or forward that traffic into a VPN Tunnel? I've modified the tunnel and nonat ACLs accordingly, but the redirects are not hitting the access lists.

Again, any help would be appreciated.

Thanks,

Chris

acomiskey · ‎08-15-2007

Chris,

If you are accessing this device via telnet over a vpn tunnel, why do you need to use it's external address? You should be able to access it with it's inside address over the vpn tunnel.

depadua_chris · ‎08-15-2007

I need to use the external address because I'm setting all this up so that an outside vendor can access their device. This vendor will not be behind our firewall and does not have the ability to load our VPN Client on their computers.

I am able to telnet into the device from behind the firewall so I know the connectivity is there.

acomiskey · ‎08-15-2007

Chris,

I must have misunderstood your last post

"Would you happen to have a link that would help me redirect or forward that traffic into a VPN Tunnel? I've modified the tunnel and nonat ACLs accordingly, but the redirects are not hitting the access lists."

I thought you were asking to access it over a vpn tunnel.

depadua_chris · ‎08-15-2007

I'm trying to provide telnet access to an outside vendor, so that they can connect to a device on the inside of our network. That device happens to be at a field office that is connected to us via a VPN Tunnel.

A reply to my original post suggested that I use a STATIC command to redirect (port-forward) the request. However, the redirected telnet is not hitting the VPN Tunnel's ACL. When I telnet to the device from inside the network the traffic hits the ACL and is encrypted and everything works fine. I'm just having trouble getting the redirected traffic to go accros the VPN.

Is that any better?

thomasdzubin · ‎08-15-2007

A shot in the dark guess (so take it with a grain of salt):

I wonder if you might be hitting a "by design" Telnet problem. I've seen a couple of references to "the firewall will not permit inbound Telnet connections on its outside interface even if the config allows it"

The Cisco Press "Cisco ASA and PIX Firewall Handbook" mentions it as do a couple of results that pop up in a Google search of: cisco pix telnet outside

Since you're Telnetting in on the outside interface and your destination address is within the firewall, perhaps it's being silently disallowed. ?Just a guess?

Is there any possibility the outside vendor (and your inside device) can use SSH to communicate? I know *that* works just fine on the outside interface when redirected into a tunnel.

acomiskey · ‎08-15-2007

It actually sounds like he is attempting to hairpin the traffic from a remote vendor over the vpn tunnel. I assume the vpn tunnel terminates on the outside interface of the ASA?

I've never attempted this myself but if it's possible you would need same-security-traffic permit intra-interface and would also need to define the remote vendor ip address and telnet destination to the crypto acls for the vpn tunnel.