Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

enable telnet redirection on the outside ASA Firewall

Hi,

I have

1- Firewall configure with outside IP 201.100.100.1

2- Router 1 with loop back 10.1.1.1 (inside network)

3- Router 2 with loop back 10.2.2.2 (inside network)

I configure the following on ASA

Static (inside,outside) tcp 201.100.100.1 1100 10.1.1.1 telnet netmask 255.255.255.255

static (inside,outside) tcp 1200 201.100.100.1 1200 10.2.2.2 telnet netmask 255.255.255.255

I configure outside access list which allow access from any to host 201.100.100.1 using ports 1100 & 1200.

I need to do telnet to outside to the inside routers using the same outside interface. This configuration is not work. When I tried the same configuration using different outside ip (not outside interface ip) it will work fine. So could you please advice how i can do this using the same outside ip address. This scenario was asked on Internetwork expert scenarios for CCIE labs but It didn't work with me.

Please advice if i miss something

Thanks

8 REPLIES

Re: enable telnet redirection on the outside ASA Firewall

If you are using the outside interface address for translation then use the word interface instead of the address in the static command.

Remove:

no Static (inside,outside) tcp 201.100.100.1 1100 10.1.1.1 telnet netmask 255.255.255.255

Add:

Static (inside,outside) tcp interface 1100 10.1.1.1 telnet netmask 255.255.255.255

HTH

Sundar

Gold

Re: enable telnet redirection on the outside ASA Firewall

also use "interface outside" instead of the IP in your ACL.

and make sure your firewall can ping the loopback IP's yo'ure trying to connect to.

Re: enable telnet redirection on the outside ASA Firewall

Steven,

Using interface in place of address should take care of his problem as he stated he was able to connect to the inside router using a different outside address.

-Sundar

Gold

Re: enable telnet redirection on the outside ASA Firewall

yes, and best practice is to also use "interface outside" in the acl, if you're using the IP of the interface for PAT.

New Member

Re: enable telnet redirection on the outside ASA Firewall

thanks. It works for R1 which is located at inside but not for R2 which is located at DMZ!!!!!

ip applied the below commands:

access-list OUTSIDE extended permit tcp any interface outside eq 2223

access-list OUTSIDE extended permit tcp any interface outside eq 1123

!

static (inside,outside) tcp interface 1123 10.1.1.1 telnet netmask 255.255.255.255

static (inside,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255

!

telnet working for 10.1.1.1 but not for 10.1.2.2 while i can ping all of them

please advice

Thanks,

Gold

Re: enable telnet redirection on the outside ASA Firewall

no static (inside,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255

static (dmz,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255

this assumes "dmz" is the name of your dmz interface (as defined w/ the nameif command)

Re: enable telnet redirection on the outside ASA Firewall

For DMZ reconfigure your static for translation between DMZ and outside address.

static (DMZ,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255

I just noticed Steven had responded to this post as well.

Abdullah, if nat-control is enabled in the firewall nat rule is required between a pair of interfaces and that's the reason why you have to do this.

HTH

Sundar

New Member

Re: enable telnet redirection on the outside ASA Firewall

Thanks alot. Iam sitting from morning on lab.It seems i should leave it becasue i cannot distinguish between DMZ and inside now .lol.

thanks alot .it works.

367
Views
0
Helpful
8
Replies