need to telnet to outside int of ASA and PIX

Unanswered Question
Feb 29th, 2008
User Badges:

I have a site to site connection setup between an ASA 5510 and a PIX 501. I have the ASA's inside 10.1.1.x network being able to access the PIX's 10.2.2.x network. That is working fine. However, I need to be able to access both the ASA and PIX's outside interfaces with telnet. I know the ASA requires a vpn, not sure about the PIX. how do I set up the vpn config to telnet to the outside address? Obviously the outside address is not part of the existing vpn config allowing the inside networks to talk, so I'm unsure of how to do that. Say my outside address on the ASA was and the PIX was How would I set that piece up?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cdusio Fri, 02/29/2008 - 09:08
User Badges:
  • Bronze, 100 points or more

on both you need to define a source IP that wil be cocming in to manage the device. I don't necessarily recommend telnet you should really use ssh. that being said,

on the PIX telnet (example) outside this allows all devices to telnet into outside interface.

On the asa same thing telnet outside

definitely want to narrow it down though.

if your SIP was for example

telnet outside

matthewmphc Fri, 02/29/2008 - 10:57
User Badges:

doesn't the telnet session on the ASA need to be via vpn? wouldn't there be additional commands I would need?

acomiskey Fri, 02/29/2008 - 11:03
User Badges:
  • Green, 3000 points or more

You cannot telnet to outside interface of pix or asa. If you want to do it through a vpn you need to add "management-access inside" and telnet to the inside interface.

srue Fri, 02/29/2008 - 12:15
User Badges:
  • Blue, 1500 points or more

you can telnet to the outside of a pix/asa as long as it's over a vpn, and management-access outside is configured.

cdusio Fri, 02/29/2008 - 12:44
User Badges:
  • Bronze, 100 points or more

Actually you can.

The telnet command lets you specify which hosts can access the security appliance console with Telnet. You can enable Telnet to the security appliance on all interfaces. But, the security appliance enforces that all Telnet traffic to the outside interface be protected by IPsec. In order to enable a Telnet session to the outside interface, configure IPsec on the outside interface to include IP traffic that is generated by the security appliance and enable Telnet on the outside interface.

However you are correct that to telnet through the vpn you need to do what you are describing. I was under the impression that the telnet was outside of the vpn.

Still should use SSH though.

onlyabhishek007 Fri, 03/07/2008 - 00:22
User Badges:

do due to the security region u can't able to access the firewall outside interface by using the telnet. U can use the ssh for the outside access.


This Discussion