enable telnet redirection on the outside ASA Firewall

Unanswered Question
Mar 11th, 2008
User Badges:

Hi,

I have

1- Firewall configure with outside IP 201.100.100.1

2- Router 1 with loop back 10.1.1.1 (inside network)

3- Router 2 with loop back 10.2.2.2 (inside network)

I configure the following on ASA

Static (inside,outside) tcp 201.100.100.1 1100 10.1.1.1 telnet netmask 255.255.255.255

static (inside,outside) tcp 1200 201.100.100.1 1200 10.2.2.2 telnet netmask 255.255.255.255

I configure outside access list which allow access from any to host 201.100.100.1 using ports 1100 & 1200.

I need to do telnet to outside to the inside routers using the same outside interface. This configuration is not work. When I tried the same configuration using different outside ip (not outside interface ip) it will work fine. So could you please advice how i can do this using the same outside ip address. This scenario was asked on Internetwork expert scenarios for CCIE labs but It didn't work with me.

Please advice if i miss something


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sundar.palaniappan Tue, 03/11/2008 - 12:38
User Badges:
  • Green, 3000 points or more

If you are using the outside interface address for translation then use the word interface instead of the address in the static command.


Remove:

no Static (inside,outside) tcp 201.100.100.1 1100 10.1.1.1 telnet netmask 255.255.255.255


Add:

Static (inside,outside) tcp interface 1100 10.1.1.1 telnet netmask 255.255.255.255


HTH


Sundar

srue Tue, 03/11/2008 - 12:41
User Badges:
  • Blue, 1500 points or more

also use "interface outside" instead of the IP in your ACL.


and make sure your firewall can ping the loopback IP's yo'ure trying to connect to.

sundar.palaniappan Tue, 03/11/2008 - 12:49
User Badges:
  • Green, 3000 points or more

Steven,


Using interface in place of address should take care of his problem as he stated he was able to connect to the inside router using a different outside address.


-Sundar

srue Tue, 03/11/2008 - 12:53
User Badges:
  • Blue, 1500 points or more

yes, and best practice is to also use "interface outside" in the acl, if you're using the IP of the interface for PAT.

abdullah-asi Tue, 03/11/2008 - 12:51
User Badges:

thanks. It works for R1 which is located at inside but not for R2 which is located at DMZ!!!!!

ip applied the below commands:

access-list OUTSIDE extended permit tcp any interface outside eq 2223

access-list OUTSIDE extended permit tcp any interface outside eq 1123

!

static (inside,outside) tcp interface 1123 10.1.1.1 telnet netmask 255.255.255.255

static (inside,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255

!

telnet working for 10.1.1.1 but not for 10.1.2.2 while i can ping all of them

please advice


Thanks,

srue Tue, 03/11/2008 - 12:54
User Badges:
  • Blue, 1500 points or more

no static (inside,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255

static (dmz,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255



this assumes "dmz" is the name of your dmz interface (as defined w/ the nameif command)

sundar.palaniappan Tue, 03/11/2008 - 12:56
User Badges:
  • Green, 3000 points or more

For DMZ reconfigure your static for translation between DMZ and outside address.


static (DMZ,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255


I just noticed Steven had responded to this post as well.


Abdullah, if nat-control is enabled in the firewall nat rule is required between a pair of interfaces and that's the reason why you have to do this.


HTH


Sundar

abdullah-asi Tue, 03/11/2008 - 12:58
User Badges:

Thanks alot. Iam sitting from morning on lab.It seems i should leave it becasue i cannot distinguish between DMZ and inside now .lol.

thanks alot .it works.

Actions

This Discussion