Telnet through PIX

Unanswered Question
Sep 22nd, 2008


Why can I telnet through the PIX when there is no reference to telnet in the class inspection default list or in the default inspection traffic list?

I see there is a reference to ICMP so that explains why transit pings do not work, but I can^t get my head round the workings of telnet.

Here is the Class inspection deafault

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

and here is the default inspection traffic

mpf-class-map mode commands/options:

access-list Match an Access List

any Match any packet

default-inspection-traffic Match default inspection traffic:

ctiqbe----tcp--2748 dns-------udp--53

ftp-------tcp--21 gtp-------udp--2123,3386

h323-h225-tcp--1720 h323-ras--udp--1718-1719

http------tcp--80 icmp------icmp

ils-------tcp--389 mgcp------udp--2427,2727

netbios---udp--137-138 radius-acct---udp--1646

rpc-------udp--111 rsh-------tcp--514

rtsp------tcp--554 sip-------tcp--5060

sip-------udp--5060 skinny----tcp--2000

smtp------tcp--25 sqlnet----tcp--1521

tftp------udp--69 xdmcp-----udp--177

dscp Match IP DSCP (DiffServ CodePoints)

flow Flow based Policy

port Match TCP/UDP port(s)

precedence Match IP precedence

rtp Match RTP port numbers

tunnel-group Match a Tunnel Group

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
satish_zanjurne Mon, 09/22/2008 - 04:26

The Adaptive Security Algorithm, used by the security appliance for stateful application inspection,

ensures the secure use of applications and services. Some applications require special handling by the

security appliance and specific application inspection engines are provided for this purpose.

Applications that require special application inspection engines are those that embed IP addressing

information in the user data packet or open secondary channels on dynamically assigned ports.

Telnet does not require special handling, so it is not added in global policy.

HTH...rate if helpful..

walter1972 Mon, 09/22/2008 - 11:36

So would I be right in saying that in addition to this, stateful inspection is geared up more for connection oriented traffic ie TCP (telnet here) and that all TCP traffic is inspected. I still don't see why other TCP ports are included in the default inspection traffic in my origional post and yet port 23 is not. How does the class inspection default relate to this default inspection traffic list?

Thanks for the interest.

marchanamendon Mon, 09/22/2008 - 22:07

Some of the application requires special handling which includes for an example an application requiring something like opening an dynamic port when an connection is established which require special handling so it is considered as part of application inspection,which inspects packets traveling through firewall.

Rate it helps!




This Discussion