Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Telnet through outside PIX interface?

I have PIX 501 separating my two internal networks.

I am located on network A (10.80.48.0)on outside PIX interface. Server which I need to access is on network B (172.31.1.0)inside PIX interface.

Here is part of PIX config:

ip address outside 10.80.48.50 255.255.252.0

ip address inside 172.31.1.1 255.255.255.0

name 172.31.1.2 SERVER

static (inside,outside) tcp interface ftp SERVER ftp netmask 255.255.255.255

access-list FromOutside permit ip any any

This allows me to ftp from network A to SERVER on network B.

How can I allow telnet (23) to SERVER from network A?

When I replace static to:

static (inside,outside) tcp interface telnet SERVER telnet netmask 255.255.255.255

then telnet is working but ftp is not.

How to make both ftp and telnet to work?

Here is log entries while I am trying to telnet from network A to SERVER (10.80.48.50) on network B:

Rec'd packet not an IPSEC packet. (ip) dest_addr= 10.80.48.50, src_addr= 10.80.48.47, prot= tcp

I would appreciate help

9 REPLIES
New Member

Re: Telnet through outside PIX interface?

Hi,

The reason is that either you have mapped only FTP access or telnet access in the static entry.

Delete static nat nd use the following commands

static (inside,outside) interface SERVER netmask 255.255.255.255

hope, it helps

New Member

Re: Telnet through outside PIX interface?

Yes, it helped when I entered

static (inside,outside) interface SERVER netmask 255.255.255.255

but right now I cannot ssh to the outside interface of the PIX. Outside interface is(10.80.48.50)

before:

ssh to 10.80.48.50 - OK

ftp to 10.80.48.50 - OK

telnet to 10.80.48.50 - NOT OK

now:

ftp to 10.80.48.50 - OK

telnet to 10.80.48.50 - OK

ssh to 10.80.48.50 - NOT OK

I will have to remove command I entered beause I need from time to time make changes on this PIX and I cannot access it anymore. Since it is located in remote location I need to have ssh access to it. I will ask someone from this location to reload the PIX so I will have an access to it again but then telnet will not work anymore.

Any suggestion?

Re: Telnet through outside PIX interface?

Why are you 'replacing' the static?

Just enter both at once:

static (inside,outside) tcp interface ftp SERVER ftp netmask 255.255.255.255

static (inside,outside) tcp interface telnet SERVER telnet netmask 255.255.255.255

Regards

Farrukh

New Member

Re: Telnet through outside PIX interface?

I tried and PIX doesn't accept two static to the same interface, one for ftp and one for telnet.

You can have only one or other

New Member

Re: Telnet through outside PIX interface?

Try to put only one command what I posted earlier then check its responding or not.

New Member

Re: Telnet through outside PIX interface?

I did the following:

no static (inside,outside) tcp interface ftp SERVER ftp netmask 255.255.255.255

static (inside,outside) interface SERVER netmask 255.255.255.255

now ftp and telnet are working but I lost ssh access to the PIX as described in previous post

Re: Telnet through outside PIX interface?

Are you running 6.x code?

I know that this works on 7.x for sure...

The ASA will give you a 'warning' but it *will be* there when you do a 'show run static'.

Regards

Frrukh

New Member

Re: Telnet through outside PIX interface?

Yes, I run 6.3(4)

static (inside,outside) interface SERVER netmask 255.255.255.255 allowing telnet what I needed but cutting my access to PIX through ssh.

Any other way to allow telnet and ftp but still be able to ssh to PIX?

Can I somehow manually map ftp and telnet?

New Member

Re: Telnet through outside PIX interface?

Hi, As i think, it must be connect via SSH. I would advice you while you try to connect PIX through SSH and then check the logs nd see why it's blocking the SSH connection.

Please post your logs.

Hope it will help

147
Views
0
Helpful
9
Replies