enable telnet redirection on the outside ASA Firewall

abdullah-asi · ‎03-11-2008

Hi,

I have

1- Firewall configure with outside IP 201.100.100.1

2- Router 1 with loop back 10.1.1.1 (inside network)

3- Router 2 with loop back 10.2.2.2 (inside network)

I configure the following on ASA

Static (inside,outside) tcp 201.100.100.1 1100 10.1.1.1 telnet netmask 255.255.255.255

static (inside,outside) tcp 1200 201.100.100.1 1200 10.2.2.2 telnet netmask 255.255.255.255

I configure outside access list which allow access from any to host 201.100.100.1 using ports 1100 & 1200.

I need to do telnet to outside to the inside routers using the same outside interface. This configuration is not work. When I tried the same configuration using different outside ip (not outside interface ip) it will work fine. So could you please advice how i can do this using the same outside ip address. This scenario was asked on Internetwork expert scenarios for CCIE labs but It didn't work with me.

Please advice if i miss something

Thanks

sundar.palaniappan · ‎03-11-2008

If you are using the outside interface address for translation then use the word interface instead of the address in the static command.

Remove:

no Static (inside,outside) tcp 201.100.100.1 1100 10.1.1.1 telnet netmask 255.255.255.255

Add:

Static (inside,outside) tcp interface 1100 10.1.1.1 telnet netmask 255.255.255.255

HTH

Sundar

srue · ‎03-11-2008

also use "interface outside" instead of the IP in your ACL.

and make sure your firewall can ping the loopback IP's yo'ure trying to connect to.

sundar.palaniappan · ‎03-11-2008

Steven,

Using interface in place of address should take care of his problem as he stated he was able to connect to the inside router using a different outside address.

-Sundar

srue · ‎03-11-2008

yes, and best practice is to also use "interface outside" in the acl, if you're using the IP of the interface for PAT.

abdullah-asi · ‎03-11-2008

thanks. It works for R1 which is located at inside but not for R2 which is located at DMZ!!!!!

ip applied the below commands:

access-list OUTSIDE extended permit tcp any interface outside eq 2223

access-list OUTSIDE extended permit tcp any interface outside eq 1123

!

static (inside,outside) tcp interface 1123 10.1.1.1 telnet netmask 255.255.255.255

static (inside,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255

!

telnet working for 10.1.1.1 but not for 10.1.2.2 while i can ping all of them

please advice

Thanks,

srue · ‎03-11-2008

no static (inside,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255

static (dmz,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255

this assumes "dmz" is the name of your dmz interface (as defined w/ the nameif command)

sundar.palaniappan · ‎03-11-2008

For DMZ reconfigure your static for translation between DMZ and outside address.

static (DMZ,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255

I just noticed Steven had responded to this post as well.

Abdullah, if nat-control is enabled in the firewall nat rule is required between a pair of interfaces and that's the reason why you have to do this.

HTH

Sundar

abdullah-asi · ‎03-11-2008

Thanks alot. Iam sitting from morning on lab.It seems i should leave it becasue i cannot distinguish between DMZ and inside now .lol.

thanks alot .it works.