Inbound Telnet Access?

[dkraut]

I need to allow external Telnet access to an internal Telnet server through our PIX515. I thought I did this correct but I still cannot access this telnet server from an external host (works fine internally)? I applied the following commands to our pix (IP addresses have been changed to protect privacy) >>

static (inside,outside) 149.54.11.195 172.16.24.39 netmask 255.255.255.255
access-list inbound permit tcp any host 149.54.11.195 eq telnet
access-group inbound in interface outside

 

[AJ1982]

Did u apply it to the interface

access-group COMMINGIN in interface outside

Cant see a problem with the other statements.

Ta

Fat

===

Fatman Superstar (Andrew James)

CCNA,
(CCNA Cisco Academy Instructor Trained)

 

[dkraut]

Yes... even tried it again.

from config mode>> access-group inbound in interface outside

Do I need to specify the access-list number in the command above or will it apply all acess-lists? When I run a show access-list, the new acccess-list shows up as >>

access-list inbound line 22 permit tcp any host 149.54.11.195 eq telnet (hitcnt=0)

%-)

 

[AJ1982]

Can u post full config pls


===

Fatman Superstar (Andrew James)

CCNA,
(CCNA Cisco Academy Instructor Trained)

 

[guysmyley]

from a pix textbook:

There are some restrictions on Telnet depending on the interface you use. The inside interface allows Telnet without encryption, whereas encryption (through VPN) is needed for the outside interface

 

[bal09]

from what i know u can only telnet through a ipsec tunnel from the outside interface. You will be better of just using ssh from the outside

 

[bell1996]

dkraut -

run a debug on the PIX outside interface and see if any traffic is coming in destined for 149.54.11.195 on port 23.

use the following

debug packet outside dst 149.54.11.195 netmask 255.255.255.255 proto tcp dport 23

This will at least tell you if traffic is coming into the PIX destined for 149.54.11.195 on port 23.

If you so, the run a debug on the PIX inside interface to see if traffic is getting thru the PIX, if it's being translated correctly and if you're getting any response from the telnet server.

use the following:

debug packet inside src 172.16.24.39 netmask 255.255.255.255

Hope this helps.

 

[bell1996]

All -

I don't believe you need any encryption or IPSec to allow telnet thru the PIX (from outside to inside). All you need is the appropiate ACL's. If encryption is needed, could someone pls show me some documentation stating this.

 

[dkraut]

Guys,
I got this resolved. This post was a bit confusing because some thought I wanted to Telnet directly into the PIX from an external client. That was not the case, I simply wanted to enable an external client to telnet "thru" the PIX and connect to a client on our internal network. After tearing most of my hair out and just before jumping out of the window, I realized that their was a Cisco 2600 router sitting on the perimeter in front of this pix. Upon examination, I found that this router was denying Telnet via an access list. Doh!
Anyway, after altering the access list to allow telnet access thru both the router and the PIX, all worked perfectly.

Thanks for all the info and tips!