enable telnet redirection on the outside ASA Firewall

Unanswered Question
Mar 11th, 2008


I have

1- Firewall configure with outside IP

2- Router 1 with loop back (inside network)

3- Router 2 with loop back (inside network)

I configure the following on ASA

Static (inside,outside) tcp 1100 telnet netmask

static (inside,outside) tcp 1200 1200 telnet netmask

I configure outside access list which allow access from any to host using ports 1100 & 1200.

I need to do telnet to outside to the inside routers using the same outside interface. This configuration is not work. When I tried the same configuration using different outside ip (not outside interface ip) it will work fine. So could you please advice how i can do this using the same outside ip address. This scenario was asked on Internetwork expert scenarios for CCIE labs but It didn't work with me.

Please advice if i miss something


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sundar.palaniappan Tue, 03/11/2008 - 12:38

If you are using the outside interface address for translation then use the word interface instead of the address in the static command.


no Static (inside,outside) tcp 1100 telnet netmask


Static (inside,outside) tcp interface 1100 telnet netmask



srue Tue, 03/11/2008 - 12:41

also use "interface outside" instead of the IP in your ACL.

and make sure your firewall can ping the loopback IP's yo'ure trying to connect to.

sundar.palaniappan Tue, 03/11/2008 - 12:49


Using interface in place of address should take care of his problem as he stated he was able to connect to the inside router using a different outside address.


srue Tue, 03/11/2008 - 12:53

yes, and best practice is to also use "interface outside" in the acl, if you're using the IP of the interface for PAT.

abdullah-asi Tue, 03/11/2008 - 12:51

thanks. It works for R1 which is located at inside but not for R2 which is located at DMZ!!!!!

ip applied the below commands:

access-list OUTSIDE extended permit tcp any interface outside eq 2223

access-list OUTSIDE extended permit tcp any interface outside eq 1123


static (inside,outside) tcp interface 1123 telnet netmask

static (inside,outside) tcp interface 2223 telnet netmask


telnet working for but not for while i can ping all of them

please advice


srue Tue, 03/11/2008 - 12:54

no static (inside,outside) tcp interface 2223 telnet netmask

static (dmz,outside) tcp interface 2223 telnet netmask

this assumes "dmz" is the name of your dmz interface (as defined w/ the nameif command)

sundar.palaniappan Tue, 03/11/2008 - 12:56

For DMZ reconfigure your static for translation between DMZ and outside address.

static (DMZ,outside) tcp interface 2223 telnet netmask

I just noticed Steven had responded to this post as well.

Abdullah, if nat-control is enabled in the firewall nat rule is required between a pair of interfaces and that's the reason why you have to do this.



abdullah-asi Tue, 03/11/2008 - 12:58

Thanks alot. Iam sitting from morning on lab.It seems i should leave it becasue i cannot distinguish between DMZ and inside now .lol.

thanks alot .it works.


This Discussion