not able to telnet to a public server

Unanswered Question
Aug 4th, 2009
User Badges:


I am not able to telnet to a public server behind the firewall.but i am able to ping to that firewall

i have given the following commands

access-list acl_out permit tcp any host eq telnet

access-group acl_out in interface outside is the host on my lan network

Please advise if my commands are correct and if anything have to be added

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

You acl is incorrect and in the wrong direction - however this would not stop telnet access.

Check your NAT and your routes. If you still want to only allow to telnet out to the internet and block all other traffic then your acl should read:-

access-list acl_out permit tcp host any eq telnet

access-group acl_out out interface outside

There are better ways of doings this - but the above corrects what you are trying to do.


arulkumar80 Wed, 08/05/2009 - 03:09
User Badges:

Thanks for your reply.

I got some idea from your reply.

My requirement is as follows:

There is a public server ( say want to telnet to from my lan network.

Please advise what are the commands i need to issue on the firewall (pix 515e)

lan n/w ----- firewall ----- router ---- internet cloud ----

Please advise me the correct NAT configuration

OK - so that version does not allow the "out" bound acl attachement feature to an interface. So you would need to block on the inside interface:-


global (outside) 1 interface

nat (inside) 1

The above NAT's all internal traffic onto the internet as the IP address of the outside interface IP.

access-list inside-out permit tcp host host eq 23

access-list inside-out deny ip any any

access-group inside-out in interface inside

The above will allow host to telnet to - BUT will block ALL other traffic from the inside to the outside.


sudheesh.pb Fri, 08/07/2009 - 23:17
User Badges:


here with the ACL's you are permitting the traffic. but I hope there is no static translation to for this server.

to access this server through telnet, execute the following command on the PIX,

static (inside,outside) netmask

Hope the server is residing in the "inside" DMZ. if it is not in the inside DMZ, use the appropriate DMZ name in the Static rule.

Hope you have routing enabled for the network from you trying outside.

Try this and respond back.




This Discussion