08-04-2009 10:20 PM - edited 03-11-2019 09:02 AM
Hi,
I am not able to telnet to a public server behind the firewall.but i am able to ping to that firewall
i have given the following commands
access-list acl_out permit tcp any host 192.168.1.1 eq telnet
access-group acl_out in interface outside
192.168.1.1 is the host on my lan network
Please advise if my commands are correct and if anything have to be added
08-05-2009 12:31 AM
You acl is incorrect and in the wrong direction - however this would not stop telnet access.
Check your NAT and your routes. If you still want to only allow 192.168.1.1 to telnet out to the internet and block all other traffic then your acl should read:-
access-list acl_out permit tcp host 192.168.1.1 any eq telnet
access-group acl_out out interface outside
There are better ways of doings this - but the above corrects what you are trying to do.
HTH>
08-05-2009 03:09 AM
Thanks for your reply.
I got some idea from your reply.
My requirement is as follows:
There is a public server ( say 1.1.1.1).I want to telnet to 1.1.1.1 from my lan network.
Please advise what are the commands i need to issue on the firewall (pix 515e)
lan n/w ----- firewall ----- router ---- internet cloud ---- 1.1.1.1
Please advise me the correct NAT configuration
08-05-2009 03:11 AM
What version of software are you running?
08-05-2009 08:22 PM
PIX Version 6.3(5)
08-06-2009 12:34 AM
OK - so that version does not allow the "out" bound acl attachement feature to an interface. So you would need to block on the inside interface:-
NAT
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
The above NAT's all internal traffic onto the internet as the IP address of the outside interface IP.
access-list inside-out permit tcp host 192.168.1.1 host 1.1.1.1 eq 23
access-list inside-out deny ip any any
access-group inside-out in interface inside
The above will allow host 192.168.1.1 to telnet to 1.1.1.1 - BUT will block ALL other traffic from the inside to the outside.
HTH>
08-07-2009 11:17 PM
Hi,
here with the ACL's you are permitting the traffic. but I hope there is no static translation to for this server.
to access this server through telnet, execute the following command on the PIX,
static (inside,outside) 192.168.1.1 192.168.1.1 netmask 255.255.255.255
Hope the server 192.168.1.1 is residing in the "inside" DMZ. if it is not in the inside DMZ, use the appropriate DMZ name in the Static rule.
Hope you have routing enabled for the network from you trying outside.
Try this and respond back.
Thanks,
Sudheesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide