not able to telnet to a public server

Unanswered Question
Aug 4th, 2009

Hi,

I am not able to telnet to a public server behind the firewall.but i am able to ping to that firewall

i have given the following commands

access-list acl_out permit tcp any host 192.168.1.1 eq telnet

access-group acl_out in interface outside

192.168.1.1 is the host on my lan network

Please advise if my commands are correct and if anything have to be added

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

You acl is incorrect and in the wrong direction - however this would not stop telnet access.

Check your NAT and your routes. If you still want to only allow 192.168.1.1 to telnet out to the internet and block all other traffic then your acl should read:-

access-list acl_out permit tcp host 192.168.1.1 any eq telnet

access-group acl_out out interface outside

There are better ways of doings this - but the above corrects what you are trying to do.

HTH>

arulkumar80 Wed, 08/05/2009 - 03:09

Thanks for your reply.

I got some idea from your reply.

My requirement is as follows:

There is a public server ( say 1.1.1.1).I want to telnet to 1.1.1.1 from my lan network.

Please advise what are the commands i need to issue on the firewall (pix 515e)

lan n/w ----- firewall ----- router ---- internet cloud ---- 1.1.1.1

Please advise me the correct NAT configuration

OK - so that version does not allow the "out" bound acl attachement feature to an interface. So you would need to block on the inside interface:-

NAT

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

The above NAT's all internal traffic onto the internet as the IP address of the outside interface IP.

access-list inside-out permit tcp host 192.168.1.1 host 1.1.1.1 eq 23

access-list inside-out deny ip any any

access-group inside-out in interface inside

The above will allow host 192.168.1.1 to telnet to 1.1.1.1 - BUT will block ALL other traffic from the inside to the outside.

HTH>

sudheesh.pb Fri, 08/07/2009 - 23:17

Hi,

here with the ACL's you are permitting the traffic. but I hope there is no static translation to for this server.

to access this server through telnet, execute the following command on the PIX,

static (inside,outside) 192.168.1.1 192.168.1.1 netmask 255.255.255.255

Hope the server 192.168.1.1 is residing in the "inside" DMZ. if it is not in the inside DMZ, use the appropriate DMZ name in the Static rule.

Hope you have routing enabled for the network from you trying outside.

Try this and respond back.

Thanks,

Sudheesh

Actions

This Discussion