cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
592
Views
0
Helpful
12
Replies

Rules to disallow access to our network from outside using Telnet service

bipot
Level 1
Level 1

Which commands do I use to disallow certain external access to our network using the Telnet service

1 Accepted Solution

Accepted Solutions

it's good to learn that one of your issues has been resolved. please feel free to discuss any other issue you've got.

according to cisco,

Why should I rate posts?

If you see a post that you think deserves recognition, please take a moment to rate it.

You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page.

View solution in original post

12 Replies 12

jackko
Level 7
Level 7

pix by default denies any inbound traffic unless otherwise permitted by an inbound acl. in other words, telnet request originated from the outside will be dropped by pix.

Please give me a clue on which line I should look at which allows telnet service from outside our network

firstly, static is required; and secondly, inbound acl.

e.g.

static (inside,outside) tcp interface 23 netmask 255.255.255.255

static (inside,outside) netmask 255.255.255.255

access-list permit inbound tcp any interface outside eq 23

access-list permit inbound tcp any eq 23

access-group inbound in interface outside

actually, to verify whether these commands have been configured on your pix, you can do "sh access-g" and see if there is an acl being applied on the outside interface.

You might also check for this type of command:

telnet 0.0.0.0 0.0.0.0 outside

where 0.0.0.0 0.0.0.0 is anything. Of course, any set of IP addresses with the outside keyword after it could allow telnet access from outside, if at least some, if not all, of what JACKKO said is true!

Hope that helps

Marc

Jacko & marc - I'm not too familiar with PIX. I'm trying to work my way around my problem.

Jacko when I do a 'show access-g' this is what I get.

access-group acl_in in interface outside

access-group acl_out in interface inside

access-group acl_dmz in interface dmz

which line do I look at?

what does line 'telnet public address ,subnet mask /24 outside' mean?

how do I remove a generic account from the configs. Which mode do I remove a generic username from?

to remove an account, you need to be in conf mode. i.e. pix(config)#

the command is "no username xxx"

Thanks Jackko. it worked!

access-group acl_in in interface outside

access-group acl_out in interface inside

access-group acl_dmz in interface dmz

acl_in = traffic originated from outside and destined for inside or dmz

acl_out = traffic originated from inside and destined for outside or dmz

acl_dmz = traffic originated from dmz and destined for inside or outside

to view what exactly is being permitted or denied for traffic originated from outside, do "sh access-list acl_in"

e.g.

pix# sh access-l acl_in

access-list acl_in; 6 elements

access-list acl_in line 1 permit icmp any any echo-reply (hitcnt=445641)

access-list acl_in line 2 permit icmp any any unreachable (hitcnt=2243870)

access-list acl_in line 3 permit icmp any any time-exceeded (hitcnt=2161426)

access-list acl_in line 4 permit esp any any (hitcnt=18)

access-list acl_in line 5 permit tcp any 1.1.1.1 eq 80

access-list acl_in line 6 permit tcp any 1.1.1.2 eq 443

with the sample above, line 5 means any host from the internet will be able to access the server 1.1.1.1 with tcp port 80 (http); line 6 means any host from the internet will be able to access the server 1.1.1.2 with tcp port 443 (https).

regarding the command "telnet outside", "telnet" is used to permit telnet access to the pix directly, such as remote management to the pix. however, this statement "telnet outside" will not yield anything; since pix doesn't allow telnet on the outside interface, pix only allow ssh from the internet.

thanks jackko.

I dont think the request wasn't too specific.

I will get back to you once I confirm everything.

it's good to learn that one of your issues has been resolved. please feel free to discuss any other issue you've got.

according to cisco,

Why should I rate posts?

If you see a post that you think deserves recognition, please take a moment to rate it.

You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: