11-10-2005 05:20 PM - edited 03-09-2019 01:00 PM
Which commands do I use to disallow certain external access to our network using the Telnet service
Solved! Go to Solution.
11-12-2005 02:28 AM
it's good to learn that one of your issues has been resolved. please feel free to discuss any other issue you've got.
according to cisco,
Why should I rate posts?
If you see a post that you think deserves recognition, please take a moment to rate it.
You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page.
11-10-2005 05:36 PM
pix by default denies any inbound traffic unless otherwise permitted by an inbound acl. in other words, telnet request originated from the outside will be dropped by pix.
11-10-2005 06:42 PM
Please give me a clue on which line I should look at which allows telnet service from outside our network
11-10-2005 07:20 PM
firstly, static is required; and secondly, inbound acl.
e.g.
static (inside,outside) tcp interface 23
static (inside,outside)
access-list permit inbound tcp any interface outside eq 23
access-list permit inbound tcp any
access-group inbound in interface outside
actually, to verify whether these commands have been configured on your pix, you can do "sh access-g" and see if there is an acl being applied on the outside interface.
11-11-2005 04:51 AM
You might also check for this type of command:
telnet 0.0.0.0 0.0.0.0 outside
where 0.0.0.0 0.0.0.0 is anything. Of course, any set of IP addresses with the outside keyword after it could allow telnet access from outside, if at least some, if not all, of what JACKKO said is true!
Hope that helps
Marc
11-11-2005 05:13 PM
Jacko & marc - I'm not too familiar with PIX. I'm trying to work my way around my problem.
Jacko when I do a 'show access-g' this is what I get.
access-group acl_in in interface outside
access-group acl_out in interface inside
access-group acl_dmz in interface dmz
which line do I look at?
11-11-2005 05:17 PM
what does line 'telnet public address ,subnet mask /24 outside' mean?
11-11-2005 05:51 PM
how do I remove a generic account from the configs. Which mode do I remove a generic username from?
11-11-2005 05:54 PM
to remove an account, you need to be in conf mode. i.e. pix(config)#
the command is "no username xxx"
11-11-2005 07:44 PM
Thanks Jackko. it worked!
11-11-2005 05:51 PM
access-group acl_in in interface outside
access-group acl_out in interface inside
access-group acl_dmz in interface dmz
acl_in = traffic originated from outside and destined for inside or dmz
acl_out = traffic originated from inside and destined for outside or dmz
acl_dmz = traffic originated from dmz and destined for inside or outside
to view what exactly is being permitted or denied for traffic originated from outside, do "sh access-list acl_in"
e.g.
pix# sh access-l acl_in
access-list acl_in; 6 elements
access-list acl_in line 1 permit icmp any any echo-reply (hitcnt=445641)
access-list acl_in line 2 permit icmp any any unreachable (hitcnt=2243870)
access-list acl_in line 3 permit icmp any any time-exceeded (hitcnt=2161426)
access-list acl_in line 4 permit esp any any (hitcnt=18)
access-list acl_in line 5 permit tcp any 1.1.1.1 eq 80
access-list acl_in line 6 permit tcp any 1.1.1.2 eq 443
with the sample above, line 5 means any host from the internet will be able to access the server 1.1.1.1 with tcp port 80 (http); line 6 means any host from the internet will be able to access the server 1.1.1.2 with tcp port 443 (https).
regarding the command "telnet
11-11-2005 07:48 PM
thanks jackko.
I dont think the request wasn't too specific.
I will get back to you once I confirm everything.
11-12-2005 02:28 AM
it's good to learn that one of your issues has been resolved. please feel free to discuss any other issue you've got.
according to cisco,
Why should I rate posts?
If you see a post that you think deserves recognition, please take a moment to rate it.
You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: