After returning from vacation, Bob (the optimistic firewall technician) decided that he wanted to take some time and get a little bit more familiar with firewall configuration. He was able to get permission to use some spare equipment for practice.
![marvin_9-25[1]](http://blog.internetworkexpert.com/wp-content/uploads/2009/09/marvin_9-251.jpg "marvin_9-25[1]")
He started with a basic configuration on the firewall:
hostname INEASA1 password cisco enable password cisco interface e0/1 nameif inside no shut ip address 172.16.16.10 255.255.255.0 security-level 90 interface e0/0 nameif outside ip address 136.1.122.10 255.255.255.0 security-level 10 no shut
Bob verified that he could ping both R1 and his PC from the Firewall. Now, he wants to configure the firewall to allow telnet from his PC. He remembers that there was some additional configuration that needed to be done on the firewall to allow this to work, but doesn’t remember exactly what is needed. Since his PC isn’t connected to the internet, he is not able to access the online documentation.
What additional configuration will allow Bob to telnet to the firewall from his PC?
There is more than one possible solution for this challenge. Feel free to post your proposed answer in the comments section. We will try to keep comments hidden from public view, so that the fun isn’t spoiled for others.
____
OK, so let’s look at the problem here. The PC is on the outside of the firewall, and according to multiple responses, you can’t telnet to the outside interface. (or can you?)
A few helpful hints when studying for the CCIE lab.
1. Don’t be afraid to go to the documentation, even for topics you think you know.
2 Re-read the question, to see just what you are asked to do and what your restrictions are.
So, where does the confusion about being able to telnet to the firewall come from? Perhaps it comes from trying in earlier versions, perhaps some confusion about what the documentation says, or perhaps someone read somewhere in the past that it just wouldn’t work.
Let’s start by carefully re-reading the documentation. ASA – Config guide – system administration – managing system access – allowing telnet
This section states:
“…The security appliance allows Telnet connections to the security appliance for management purposes. You cannot use Telnet to the lowest security interface unless you use Telnet inside an IPSec tunnel. …”
So, it doesn’t explicitly mention the outside, it mentions the “lowest security interface”. In most cases that is the outside, but not always.
A few “solutions”
1. Configure the switch so that Bob’s PC is on VLAN 121 instead of VLAN 122, configure the firewall to allow telnet on the inside interface. (Technically would meet requirements, but not much of a challenge.)
2. Change the security levels for the interfaces, making them the same or making the outside higher.
3. Add another interface with a lower security level
int eth0/1.1
vlan 123
nameif DMZ
sec 9
4. Configure a VPN for the firewall, so that the telnet traffic to the lower security (outside) interface is encrypted and therefore allowed.
5. Configure the firewall to allow transit traffic through to R1. Telnet to R1, and then Telnet to the ASA from R1, after configuring the ASA to allow telnet on the inside interface.
About INE Instructor:
You can leave a response, or trackback from your own site.
31 Responses to “Accessing the Firewall”
Leave a Reply
Telnet on the outside does not work unless it is over a VPN or do an SSH.
Brainstorming here: Do port redirection on the ASA to redirect telnet sessions to R1 and then telnet to ASA. Allow telnet to ASA from inside/R1.
By design, you can’t telnet to a lower security interface unless you use telnet inside an IPSec tunnel.
I am eager to see your answer if indeed there is another way. Of course, an ACL could be applied on the outside interface inbound to allow telnet THROUGH the appliance, for example to the router; and telnet from it to the inside interface of the ASA, but that’s if the inside interface were set to 100, which its not.
! allow the telnet connection from higher to lower security-level interface with ACL and apply to the inbound interface with access-group cmd
access-l OUTSIDE_IN perm tcp host 136.1.122.125 host 172.16.16.1 eq 23
access-g OUTSIDE_IN in interface outside
telnet 136.1.122.125 outside
telnet 136.1.122.125 255.255.255.255 outside
INEASA1#conft t
INEASA1#(config)#access-list PERMIT_OUT_IN permit tcp host 136.1.122.125 172.16.16.0 255.255.255.0 eq telnet
INEASA1#(config)#access-group PERMIT_OUT_IN in interface outside
Regards
RAMACHANDRA
CCIE # 21089
I think he could permit the tcp 23 on the ASA outside interface ,let the PC telnet Router 1 ande then he could telnet the ASA from inside.
I know it’s not the direct way to telnet from outside, i have the same question with Bob, i forgot the command line.
Assuming that the Bob PC IP address is: 172.16.16.100 and located in INSIDE. The proper syntax will be:
telnet 172.16.16.100 255.255.255.255 inside
Also it should be noted that ASA does not allow telnet from outside. Therefore we will need to configure “SSH” to access firewall. I am assuming that the outside IP address for BoB PC is 136.1.122.100.
username bob password bob
aaa authentication ssh console LOCAL
crypto key generate rsa modulus 1024
ssh version 2
ssh timeout 1
ssh 136.1.122.100 255.255.255.255 outside
aaa authentication telnet console LOCAL
telnet 136.1.122.125 255.255.255.255 outside
If you want to TELNET the Firewall’s outside interface you are not allowed to. Why? Because the lowest security level configured on firewall is not allowed to telnet but only ssh. You can try doing “telnet 0 0 outside” but you won’t get any answer.
1. You should allow telnet from outside (thanks the interface has security-level set to 10 and we don’t need ipsec to cover telnet trafic):
telnet 0 0 outside
2. It’s necessary to create fake outside interface (more correct interface with security level set to 0)
interface eth2
nameif fake
security-level 0
We even don’t need to set up address and unshutdown it.
With best regards.
telnet 136.1.122.125 255.255.255.255 outside
aaa authentication telnet console LOCAL
The ASA will not allow telnet from his PC on the outside interface because it has the lowest security level.
The only protocol allowed will be ssh.
To allow telnet, he’ll need to create another interface with a security level less than 10.
e.g
interface e0/2
nameif DMZ
no shut
ip address 192.168.1.10 255.255.255.0
security-level 5
telnet 136.1.122.125 255.255.255.255 outside
domain-name wolf.com
cry key generate rsa
ssh 136.1.122.125 255.255.255.0 outside
username admin password wolfcciesec pri 15
aaa authen ssh console LOCAL
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
access-list 101 permit ip host 136.1.122.10 host 136.1.122.125
!
crypto map outside_map 10 set peer 136.1.122.125
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 10 match access-list 101
crypto map outside_map enable outside
!
telnet 136.1.122.125 255.255.255.255 outside
!
passwd cisco
enable password cisco
1: Allow tcp port 23 using acl on outside
2: Change the security level of outside interface to be same as inside and then permit traffic between diff interface for same security level
conf t
interface e0/0
security-level 91
exit
!
telnet 136.1.122.155 255.255.255.255 outside
!
access-list per_tel extended permit tcp any host 172.16.16.1 eq telnet
access-group per_tel in interface outside
First: configure access list on the firewall
confgure terminal
access-list acl-inbound permit tcp host 136.1.122.125 host 172.16.16.1 eq 23
access-group acl-inbound in interface outside
static(inside,outside) 172.16.16.1 172.16.16.1
I miss the username.
The full configuration is:
username internetwork password expert privilege 15
aaa authentication telnet console LOCAL
telnet 136.1.122.125 255.255.255.255 outside
I know it aint a configuration example, but real quick – one solution could be to create a remote-access VPN solution for Bob, including encryption of the ASA’s public IP. Through a VPN tunnel, telnet to the ASA is allowed.
First I believe he would have to change the security-level of the outside interface. Because you cannot telnet to the lowest security interface. I believe it would be something like so….
interface e0/0
nameif outside
ip address 136.1.122.10 255.255.255.0
security-level 90
no shut
aaa authentication telnet console LOCAL
telnet 136.1.122.125 255.255.255.255 outside
telnet timeout 5
username bob password bob privilege 15
Hi,
did anyone came up with the solution?
He will have to create a static NAT and create an exception to allow the PC to telnet to the router.
Below is the additional configuration:
global (outside) 1 interface
nat (inside) 1 172.16.16.0 255.255.255.0
static (inside, outside) 136.1.122.10 172.16.16.1 netmask 255.255.255.255
access-list out_in permit tcp host 136.1.122.10 host 136.1.122.125 eq 23
access-group out_in in interface outside
Oops. My access-list is actually backwards. It should read as below.
access-list out_in permit tcp host 136.1.122.125 host 136.1.122.10 eq 23
Please help promote security by using secure alternatives like SSH or HTTPS in your examples. Replacing Telnet with SSH and HTTP with HTTPS for management access does not fundamentally change the nature of this type of question.
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
ip local pool VPN-POOL 192.168.1.10-192.168.1.15
username admin password cisco123
crypto ipsec transform-set TSet esp-3des esp-md5-hmac
tunnel-group RAgroup type ipsec-ra
tunnel-group RAgroup general-attributes
address-pool VPN-POOL
tunnel-group RAgroup ipsec-attributes
pre-shared-key very-secret-key
crypto dynamic-map dyn1 1 set transform-set TSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
telnet 192.168.1.0 255.255.255.0 inside
management-access inside
“telnet 136.1.122.125 255.255.255.255 outside” should be sufficient.
Using ASDM
import client server plug-in ssh/telnet to ASA
configure bookmark list using ssh/telnet plugin
assign bookmark list to defgrpolicy
enable clientless ssl vpn on outside
https://asa-ip
select ssh/telnet from address drop-down
First using telnet from outside interface is not recommented because telnet vulnerable as it uses plain text format.
But If situation demands I think we can configure firewall to allow telnet from outside interface.
please correct me if I am wrong
By default all traffic from ouside interface ( sec level 0) is denied unless we configure acls to permit.
so if I create a ACL that permit telnet from host to the ASA outide interface and also applying the follwing commands telnet will work
access-l OUTSIDE_IN permit tcp host 136.1.122.125 host 136.1.122.10 eq 23
note: if above ACL didnt work then use the below ACL
access-l OUTSIDE_IN permit tcp host 136.1.122.125 host 172.16.16.1 eq 23
Note: for this ACL to work routing should be there.
access-g OUTSIDE_IN in interface outside
aaa authentication telnet console LOCAL
telnet 136.1.122.125 255.255.255.255 outside
Also need to add inspect telnet in default global policy