Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA5520 - Do we need to allow telnet itself?

Topology: both subnets 1.1.1.0/24 and 2.2.2.0/24 are somehow connected to asa5520, but to different interfaces. Say 1.1.1.0 is inside network, and 2.2.2.0 is outside network.

When we want to allow outbound traffice from 1.1.1.1 to 2.2.2.2 through port 25, we normally do:

access-list inside-in extended permit tcp host 1.1.1.1 host 2.2.2.2 eq 25

access-group inside-in in interface inside

and then we can try to test by telnet from 1.1.1.1 to 2.2.2.2, to see if the port is successfully opened:

telnet 2.2.2.2 25

My question is that before we start telnet testing, do we need to allow telnet port tcp 23 first?

access-list inside-in extended permit tcp host 1.1.1.1 host 2.2.2.2 eq 23

Or telnet is allowed by default?

Thanks

Stro

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA5520 - Do we need to allow telnet itself?

I was trying to make a point that "telnet" is only port 23, you just use the telnet application for your test on port 25, which is smtp.

1. Telnet on port 23 will NOT get through on that acl, you only allowed port 25, everything else will be caught by the deny any any that is always at the bottom of an acl.

2.This does the exact same thing, exept you are specifically denying port 23, everything else will still be denied.

4 REPLIES

Re: ASA5520 - Do we need to allow telnet itself?

No, they are two different services, and no, tcp port 23 is not default allowed if you have an acl that does not permit it on the inside interface.

New Member

Re: ASA5520 - Do we need to allow telnet itself?

Hi Jan,

Thanks for your quick response.

It will be helpful if you could explain in a bit more details. How are the two services different? Both smtp port 25 and telnet port 23 are tcp ports, at transport layer.

So,

1. if I only have the following two lines, telnet will still get thru. yes? Won't the implicit "deny any any" stops the telnet?

access-list inside-in extended permit tcp host 1.1.1.1 host 2.2.2.2 eq 25

access-group inside-in in interface inside

2. Only if I add a deny telnet acl (see below), then I won't be able to telnet from 1.1.1.1 to 2.2.2.2 any more. Am I right?

access-list inside-in extended permit tcp host 1.1.1.1 host 2.2.2.2 eq 25

access-list inside-in extended deny tcp host 1.1.1.1 host 2.2.2.2 eq 23

access-group inside-in in interface inside

Appreciste your time.

Stro

Re: ASA5520 - Do we need to allow telnet itself?

I was trying to make a point that "telnet" is only port 23, you just use the telnet application for your test on port 25, which is smtp.

1. Telnet on port 23 will NOT get through on that acl, you only allowed port 25, everything else will be caught by the deny any any that is always at the bottom of an acl.

2.This does the exact same thing, exept you are specifically denying port 23, everything else will still be denied.

New Member

Re: ASA5520 - Do we need to allow telnet itself?

Thanks Jan. Your explanation is to the point. I get it now. Stro.

738
Views
0
Helpful
4
Replies
CreatePlease to create content