enable telnet redirection on the outside ASA Firewall

Unanswered Question
Mar 11th, 2008

Hi,

I have

1- Firewall configure with outside IP 201.100.100.1

2- Router 1 with loop back 10.1.1.1 (inside network)

3- Router 2 with loop back 10.2.2.2 (inside network)

I configure the following on ASA

Static (inside,outside) tcp 201.100.100.1 1100 10.1.1.1 telnet netmask 255.255.255.255

static (inside,outside) tcp 1200 201.100.100.1 1200 10.2.2.2 telnet netmask 255.255.255.255

I configure outside access list which allow access from any to host 201.100.100.1 using ports 1100 & 1200.

I need to do telnet to outside to the inside routers using the same outside interface. This configuration is not work. When I tried the same configuration using different outside ip (not outside interface ip) it will work fine. So could you please advice how i can do this using the same outside ip address. This scenario was asked on Internetwork expert scenarios for CCIE labs but It didn't work with me.

Please advice if i miss something

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sundar.palaniappan Tue, 03/11/2008 - 12:38

If you are using the outside interface address for translation then use the word interface instead of the address in the static command.

Remove:

no Static (inside,outside) tcp 201.100.100.1 1100 10.1.1.1 telnet netmask 255.255.255.255

Add:

Static (inside,outside) tcp interface 1100 10.1.1.1 telnet netmask 255.255.255.255

HTH

Sundar

srue Tue, 03/11/2008 - 12:41

also use "interface outside" instead of the IP in your ACL.

and make sure your firewall can ping the loopback IP's yo'ure trying to connect to.

sundar.palaniappan Tue, 03/11/2008 - 12:49

Steven,

Using interface in place of address should take care of his problem as he stated he was able to connect to the inside router using a different outside address.

-Sundar

srue Tue, 03/11/2008 - 12:53

yes, and best practice is to also use "interface outside" in the acl, if you're using the IP of the interface for PAT.

abdullah-asi Tue, 03/11/2008 - 12:51

thanks. It works for R1 which is located at inside but not for R2 which is located at DMZ!!!!!

ip applied the below commands:

access-list OUTSIDE extended permit tcp any interface outside eq 2223

access-list OUTSIDE extended permit tcp any interface outside eq 1123

!

static (inside,outside) tcp interface 1123 10.1.1.1 telnet netmask 255.255.255.255

static (inside,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255

!

telnet working for 10.1.1.1 but not for 10.1.2.2 while i can ping all of them

please advice

Thanks,

srue Tue, 03/11/2008 - 12:54

no static (inside,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255

static (dmz,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255

this assumes "dmz" is the name of your dmz interface (as defined w/ the nameif command)

sundar.palaniappan Tue, 03/11/2008 - 12:56

For DMZ reconfigure your static for translation between DMZ and outside address.

static (DMZ,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255

I just noticed Steven had responded to this post as well.

Abdullah, if nat-control is enabled in the firewall nat rule is required between a pair of interfaces and that's the reason why you have to do this.

HTH

Sundar

abdullah-asi Tue, 03/11/2008 - 12:58

Thanks alot. Iam sitting from morning on lab.It seems i should leave it becasue i cannot distinguish between DMZ and inside now .lol.

thanks alot .it works.

Actions

This Discussion