cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
490
Views
0
Helpful
9
Replies

Telnet through outside PIX interface?

amarula115
Level 1
Level 1

I have PIX 501 separating my two internal networks.

I am located on network A (10.80.48.0)on outside PIX interface. Server which I need to access is on network B (172.31.1.0)inside PIX interface.

Here is part of PIX config:

ip address outside 10.80.48.50 255.255.252.0

ip address inside 172.31.1.1 255.255.255.0

name 172.31.1.2 SERVER

static (inside,outside) tcp interface ftp SERVER ftp netmask 255.255.255.255

access-list FromOutside permit ip any any

This allows me to ftp from network A to SERVER on network B.

How can I allow telnet (23) to SERVER from network A?

When I replace static to:

static (inside,outside) tcp interface telnet SERVER telnet netmask 255.255.255.255

then telnet is working but ftp is not.

How to make both ftp and telnet to work?

Here is log entries while I am trying to telnet from network A to SERVER (10.80.48.50) on network B:

Rec'd packet not an IPSEC packet. (ip) dest_addr= 10.80.48.50, src_addr= 10.80.48.47, prot= tcp

I would appreciate help

9 Replies 9

ray_stone
Level 1
Level 1

Hi,

The reason is that either you have mapped only FTP access or telnet access in the static entry.

Delete static nat nd use the following commands

static (inside,outside) interface SERVER netmask 255.255.255.255

hope, it helps

Yes, it helped when I entered

static (inside,outside) interface SERVER netmask 255.255.255.255

but right now I cannot ssh to the outside interface of the PIX. Outside interface is(10.80.48.50)

before:

ssh to 10.80.48.50 - OK

ftp to 10.80.48.50 - OK

telnet to 10.80.48.50 - NOT OK

now:

ftp to 10.80.48.50 - OK

telnet to 10.80.48.50 - OK

ssh to 10.80.48.50 - NOT OK

I will have to remove command I entered beause I need from time to time make changes on this PIX and I cannot access it anymore. Since it is located in remote location I need to have ssh access to it. I will ask someone from this location to reload the PIX so I will have an access to it again but then telnet will not work anymore.

Any suggestion?

Farrukh Haroon
VIP Alumni
VIP Alumni

Why are you 'replacing' the static?

Just enter both at once:

static (inside,outside) tcp interface ftp SERVER ftp netmask 255.255.255.255

static (inside,outside) tcp interface telnet SERVER telnet netmask 255.255.255.255

Regards

Farrukh

I tried and PIX doesn't accept two static to the same interface, one for ftp and one for telnet.

You can have only one or other

Try to put only one command what I posted earlier then check its responding or not.

I did the following:

no static (inside,outside) tcp interface ftp SERVER ftp netmask 255.255.255.255

static (inside,outside) interface SERVER netmask 255.255.255.255

now ftp and telnet are working but I lost ssh access to the PIX as described in previous post

Are you running 6.x code?

I know that this works on 7.x for sure...

The ASA will give you a 'warning' but it *will be* there when you do a 'show run static'.

Regards

Frrukh

Yes, I run 6.3(4)

static (inside,outside) interface SERVER netmask 255.255.255.255 allowing telnet what I needed but cutting my access to PIX through ssh.

Any other way to allow telnet and ftp but still be able to ssh to PIX?

Can I somehow manually map ftp and telnet?

Hi, As i think, it must be connect via SSH. I would advice you while you try to connect PIX through SSH and then check the logs nd see why it's blocking the SSH connection.

Please post your logs.

Hope it will help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: