Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Rules to disallow access to our network from outside using Telnet service

Which commands do I use to disallow certain external access to our network using the Telnet service

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Rules to disallow access to our network from outside using T

it's good to learn that one of your issues has been resolved. please feel free to discuss any other issue you've got.

according to cisco,

Why should I rate posts?

If you see a post that you think deserves recognition, please take a moment to rate it.

You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page.

12 REPLIES
Gold

Re: Rules to disallow access to our network from outside using T

pix by default denies any inbound traffic unless otherwise permitted by an inbound acl. in other words, telnet request originated from the outside will be dropped by pix.

New Member

Re: Rules to disallow access to our network from outside using T

Please give me a clue on which line I should look at which allows telnet service from outside our network

Gold

Re: Rules to disallow access to our network from outside using T

firstly, static is required; and secondly, inbound acl.

e.g.

static (inside,outside) tcp interface 23 netmask 255.255.255.255

static (inside,outside) netmask 255.255.255.255

access-list permit inbound tcp any interface outside eq 23

access-list permit inbound tcp any eq 23

access-group inbound in interface outside

actually, to verify whether these commands have been configured on your pix, you can do "sh access-g" and see if there is an acl being applied on the outside interface.

New Member

Re: Rules to disallow access to our network from outside using T

You might also check for this type of command:

telnet 0.0.0.0 0.0.0.0 outside

where 0.0.0.0 0.0.0.0 is anything. Of course, any set of IP addresses with the outside keyword after it could allow telnet access from outside, if at least some, if not all, of what JACKKO said is true!

Hope that helps

Marc

New Member

Re: Rules to disallow access to our network from outside using T

Jacko & marc - I'm not too familiar with PIX. I'm trying to work my way around my problem.

Jacko when I do a 'show access-g' this is what I get.

access-group acl_in in interface outside

access-group acl_out in interface inside

access-group acl_dmz in interface dmz

which line do I look at?

New Member

Re: Rules to disallow access to our network from outside using T

what does line 'telnet public address ,subnet mask /24 outside' mean?

New Member

Re: Rules to disallow access to our network from outside using T

how do I remove a generic account from the configs. Which mode do I remove a generic username from?

Gold

Re: Rules to disallow access to our network from outside using T

to remove an account, you need to be in conf mode. i.e. pix(config)#

the command is "no username xxx"

New Member

Re: Rules to disallow access to our network from outside using T

Thanks Jackko. it worked!

Gold

Re: Rules to disallow access to our network from outside using T

access-group acl_in in interface outside

access-group acl_out in interface inside

access-group acl_dmz in interface dmz

acl_in = traffic originated from outside and destined for inside or dmz

acl_out = traffic originated from inside and destined for outside or dmz

acl_dmz = traffic originated from dmz and destined for inside or outside

to view what exactly is being permitted or denied for traffic originated from outside, do "sh access-list acl_in"

e.g.

pix# sh access-l acl_in

access-list acl_in; 6 elements

access-list acl_in line 1 permit icmp any any echo-reply (hitcnt=445641)

access-list acl_in line 2 permit icmp any any unreachable (hitcnt=2243870)

access-list acl_in line 3 permit icmp any any time-exceeded (hitcnt=2161426)

access-list acl_in line 4 permit esp any any (hitcnt=18)

access-list acl_in line 5 permit tcp any 1.1.1.1 eq 80

access-list acl_in line 6 permit tcp any 1.1.1.2 eq 443

with the sample above, line 5 means any host from the internet will be able to access the server 1.1.1.1 with tcp port 80 (http); line 6 means any host from the internet will be able to access the server 1.1.1.2 with tcp port 443 (https).

regarding the command "telnet outside", "telnet" is used to permit telnet access to the pix directly, such as remote management to the pix. however, this statement "telnet outside" will not yield anything; since pix doesn't allow telnet on the outside interface, pix only allow ssh from the internet.

New Member

Re: Rules to disallow access to our network from outside using T

thanks jackko.

I dont think the request wasn't too specific.

I will get back to you once I confirm everything.

Gold

Re: Rules to disallow access to our network from outside using T

it's good to learn that one of your issues has been resolved. please feel free to discuss any other issue you've got.

according to cisco,

Why should I rate posts?

If you see a post that you think deserves recognition, please take a moment to rate it.

You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page.

205
Views
0
Helpful
12
Replies