Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

not able to telnet to a public server

Hi,

I am not able to telnet to a public server behind the firewall.but i am able to ping to that firewall

i have given the following commands

access-list acl_out permit tcp any host 192.168.1.1 eq telnet

access-group acl_out in interface outside

192.168.1.1 is the host on my lan network

Please advise if my commands are correct and if anything have to be added

6 REPLIES

Re: not able to telnet to a public server

You acl is incorrect and in the wrong direction - however this would not stop telnet access.

Check your NAT and your routes. If you still want to only allow 192.168.1.1 to telnet out to the internet and block all other traffic then your acl should read:-

access-list acl_out permit tcp host 192.168.1.1 any eq telnet

access-group acl_out out interface outside

There are better ways of doings this - but the above corrects what you are trying to do.

HTH>

New Member

Re: not able to telnet to a public server

Thanks for your reply.

I got some idea from your reply.

My requirement is as follows:

There is a public server ( say 1.1.1.1).I want to telnet to 1.1.1.1 from my lan network.

Please advise what are the commands i need to issue on the firewall (pix 515e)

lan n/w ----- firewall ----- router ---- internet cloud ---- 1.1.1.1

Please advise me the correct NAT configuration

Re: not able to telnet to a public server

What version of software are you running?

New Member

Re: not able to telnet to a public server

PIX Version 6.3(5)

Re: not able to telnet to a public server

OK - so that version does not allow the "out" bound acl attachement feature to an interface. So you would need to block on the inside interface:-

NAT

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

The above NAT's all internal traffic onto the internet as the IP address of the outside interface IP.

access-list inside-out permit tcp host 192.168.1.1 host 1.1.1.1 eq 23

access-list inside-out deny ip any any

access-group inside-out in interface inside

The above will allow host 192.168.1.1 to telnet to 1.1.1.1 - BUT will block ALL other traffic from the inside to the outside.

HTH>

New Member

Re: not able to telnet to a public server

Hi,

here with the ACL's you are permitting the traffic. but I hope there is no static translation to for this server.

to access this server through telnet, execute the following command on the PIX,

static (inside,outside) 192.168.1.1 192.168.1.1 netmask 255.255.255.255

Hope the server 192.168.1.1 is residing in the "inside" DMZ. if it is not in the inside DMZ, use the appropriate DMZ name in the Static rule.

Hope you have routing enabled for the network from you trying outside.

Try this and respond back.

Thanks,

Sudheesh

158
Views
0
Helpful
6
Replies