Sep
25

After returning from vacation, Bob (the optimistic firewall technician) decided that he wanted to take some time and get a little bit more familiar with firewall configuration. He was able to get permission to use some spare equipment for practice.

marvin_9-25[1]

 

He started with a basic configuration on the firewall:

hostname INEASA1
password cisco
enable password cisco

interface e0/1
 nameif inside
 no shut
 ip address 172.16.16.10 255.255.255.0
 security-level 90

interface e0/0
 nameif outside
 ip address 136.1.122.10 255.255.255.0
 security-level 10
 no shut

Bob verified that he could ping both R1 and his PC from the Firewall. Now, he wants to configure the firewall to allow telnet from his PC. He remembers that there was some additional configuration that needed to be done on the firewall to allow this to work, but doesn’t remember exactly what is needed. Since his PC isn’t connected to the internet, he is not able to access the online documentation.

What additional configuration will allow Bob to telnet to the firewall from his PC?

There is more than one possible solution for this challenge. Feel free to post your proposed answer in the comments section. We will try to keep comments hidden from public view, so that the fun isn’t spoiled for others.

____

OK, so let’s look at the problem here. The PC is on the outside of the firewall, and according to multiple responses, you can’t telnet to the outside interface. (or can you?)

A few helpful hints when studying for the CCIE lab.

1. Don’t be afraid to go to the documentation, even for topics you think you know.
2 Re-read the question, to see just what you are asked to do and what your restrictions are.

So, where does the confusion about being able to telnet to the firewall come from? Perhaps it comes from trying in earlier versions, perhaps some confusion about what the documentation says, or perhaps someone read somewhere in the past that it just wouldn’t work.

Let’s start by carefully re-reading the documentation. ASA – Config guide – system administration – managing system access – allowing telnet

This section states:

“…The security appliance allows Telnet connections to the security appliance for management purposes. You cannot use Telnet to the lowest security interface unless you use Telnet inside an IPSec tunnel. …”

So, it doesn’t explicitly mention the outside, it mentions the “lowest security interface”. In most cases that is the outside, but not always.

A few “solutions”

1. Configure the switch so that Bob’s PC is on VLAN 121 instead of VLAN 122, configure the firewall to allow telnet on the inside interface. (Technically would meet requirements, but not much of a challenge.)

2. Change the security levels for the interfaces, making them the same or making the outside higher.

3. Add another interface with a lower security level

int eth0/1.1
vlan 123
nameif DMZ
sec 9

4. Configure a VPN for the firewall, so that the telnet traffic to the lower security (outside) interface is encrypted and therefore allowed.

5. Configure the firewall to allow transit traffic through to R1. Telnet to R1, and then Telnet to the ASA from R1, after configuring the ASA to allow telnet on the inside interface.


You can leave a response, or trackback from your own site.

31 Responses to “Accessing the Firewall”

 
  1. Puneet says:

    Telnet on the outside does not work unless it is over a VPN or do an SSH.

    Brainstorming here: Do port redirection on the ASA to redirect telnet sessions to R1 and then telnet to ASA. Allow telnet to ASA from inside/R1.

  2. Joshua Walton says:

    By design, you can’t telnet to a lower security interface unless you use telnet inside an IPSec tunnel.

    I am eager to see your answer if indeed there is another way. Of course, an ACL could be applied on the outside interface inbound to allow telnet THROUGH the appliance, for example to the router; and telnet from it to the inside interface of the ASA, but that’s if the inside interface were set to 100, which its not.

  3. GD says:

    ! allow the telnet connection from higher to lower security-level interface with ACL and apply to the inbound interface with access-group cmd

    access-l OUTSIDE_IN perm tcp host 136.1.122.125 host 172.16.16.1 eq 23
    access-g OUTSIDE_IN in interface outside

  4. Abu Mohammed says:

    telnet 136.1.122.125 outside

  5. Abu Mohammed says:

    telnet 136.1.122.125 255.255.255.255 outside

  6. Ramachandra says:

    INEASA1#conft t
    INEASA1#(config)#access-list PERMIT_OUT_IN permit tcp host 136.1.122.125 172.16.16.0 255.255.255.0 eq telnet
    INEASA1#(config)#access-group PERMIT_OUT_IN in interface outside

    Regards
    RAMACHANDRA
    CCIE # 21089

  7. Josh says:

    I think he could permit the tcp 23 on the ASA outside interface ,let the PC telnet Router 1 ande then he could telnet the ASA from inside.

    I know it’s not the direct way to telnet from outside, i have the same question with Bob, i forgot the command line. :)

  8. Syed Khalid Ali says:

    Assuming that the Bob PC IP address is: 172.16.16.100 and located in INSIDE. The proper syntax will be:
    telnet 172.16.16.100 255.255.255.255 inside

    Also it should be noted that ASA does not allow telnet from outside. Therefore we will need to configure “SSH” to access firewall. I am assuming that the outside IP address for BoB PC is 136.1.122.100.

    username bob password bob
    aaa authentication ssh console LOCAL
    crypto key generate rsa modulus 1024
    ssh version 2
    ssh timeout 1
    ssh 136.1.122.100 255.255.255.255 outside

  9. Carlos Figueroa says:

    aaa authentication telnet console LOCAL
    telnet 136.1.122.125 255.255.255.255 outside

  10. Bruno says:

    If you want to TELNET the Firewall’s outside interface you are not allowed to. Why? Because the lowest security level configured on firewall is not allowed to telnet but only ssh. You can try doing “telnet 0 0 outside” but you won’t get any answer.

  11. Maxim says:

    1. You should allow telnet from outside (thanks the interface has security-level set to 10 and we don’t need ipsec to cover telnet trafic):
    telnet 0 0 outside

    2. It’s necessary to create fake outside interface (more correct interface with security level set to 0)
    interface eth2
    nameif fake
    security-level 0

    We even don’t need to set up address and unshutdown it.

    With best regards.

  12. Sean says:

    telnet 136.1.122.125 255.255.255.255 outside

    aaa authentication telnet console LOCAL

  13. shrek says:

    The ASA will not allow telnet from his PC on the outside interface because it has the lowest security level.

    The only protocol allowed will be ssh.

    To allow telnet, he’ll need to create another interface with a security level less than 10.

    e.g

    interface e0/2
    nameif DMZ
    no shut
    ip address 192.168.1.10 255.255.255.0
    security-level 5

    telnet 136.1.122.125 255.255.255.255 outside

  14. leilei says:

    domain-name wolf.com
    cry key generate rsa
    ssh 136.1.122.125 255.255.255.0 outside
    username admin password wolfcciesec pri 15
    aaa authen ssh console LOCAL

  15. Mike says:

    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    !
    access-list 101 permit ip host 136.1.122.10 host 136.1.122.125
    !
    crypto map outside_map 10 set peer 136.1.122.125
    crypto map outside_map 10 set transform-set ESP-3DES-SHA
    crypto map outside_map 10 match access-list 101
    crypto map outside_map enable outside
    !
    telnet 136.1.122.125 255.255.255.255 outside
    !
    passwd cisco
    enable password cisco

  16. Sumit says:

    1: Allow tcp port 23 using acl on outside
    2: Change the security level of outside interface to be same as inside and then permit traffic between diff interface for same security level

  17. Jaeson Niki says:

    conf t
    interface e0/0
    security-level 91
    exit
    !
    telnet 136.1.122.155 255.255.255.255 outside
    !

  18. Gino says:

    access-list per_tel extended permit tcp any host 172.16.16.1 eq telnet
    access-group per_tel in interface outside

  19. Adjété says:

    First: configure access list on the firewall

    confgure terminal
    access-list acl-inbound permit tcp host 136.1.122.125 host 172.16.16.1 eq 23

    access-group acl-inbound in interface outside
    static(inside,outside) 172.16.16.1 172.16.16.1

  20. Carlos Figueroa says:

    I miss the username.

    The full configuration is:

    username internetwork password expert privilege 15
    aaa authentication telnet console LOCAL
    telnet 136.1.122.125 255.255.255.255 outside

  21. Kelvin Dam says:

    I know it aint a configuration example, but real quick – one solution could be to create a remote-access VPN solution for Bob, including encryption of the ASA’s public IP. Through a VPN tunnel, telnet to the ASA is allowed.

    :-)

  22. James Wilson says:

    First I believe he would have to change the security-level of the outside interface. Because you cannot telnet to the lowest security interface. I believe it would be something like so….
    interface e0/0
    nameif outside
    ip address 136.1.122.10 255.255.255.0
    security-level 90
    no shut

    aaa authentication telnet console LOCAL
    telnet 136.1.122.125 255.255.255.255 outside
    telnet timeout 5
    username bob password bob privilege 15

  23. Andrius Adamavicius says:

    Hi,

    did anyone came up with the solution?

  24. Tommy says:

    He will have to create a static NAT and create an exception to allow the PC to telnet to the router.

    Below is the additional configuration:

    global (outside) 1 interface
    nat (inside) 1 172.16.16.0 255.255.255.0
    static (inside, outside) 136.1.122.10 172.16.16.1 netmask 255.255.255.255
    access-list out_in permit tcp host 136.1.122.10 host 136.1.122.125 eq 23
    access-group out_in in interface outside

  25. Tommy says:

    Oops. My access-list is actually backwards. It should read as below.

    access-list out_in permit tcp host 136.1.122.125 host 136.1.122.10 eq 23

  26. anonymous says:

    Please help promote security by using secure alternatives like SSH or HTTPS in your examples. Replacing Telnet with SSH and HTTP with HTTPS for management access does not fundamentally change the nature of this type of question.

  27. pitt2k says:

    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption 3des
    isakmp policy 1 hash sha
    isakmp policy 1 group 2
    isakmp policy 1 lifetime 43200

    isakmp enable outside

    ip local pool VPN-POOL 192.168.1.10-192.168.1.15

    username admin password cisco123

    crypto ipsec transform-set TSet esp-3des esp-md5-hmac

    tunnel-group RAgroup type ipsec-ra
    tunnel-group RAgroup general-attributes
    address-pool VPN-POOL
    tunnel-group RAgroup ipsec-attributes
    pre-shared-key very-secret-key

    crypto dynamic-map dyn1 1 set transform-set TSet
    crypto dynamic-map dyn1 1 set reverse-route
    crypto map mymap 1 ipsec-isakmp dynamic dyn1
    crypto map mymap interface outside

    telnet 192.168.1.0 255.255.255.0 inside

    management-access inside

  28. Simas says:

    “telnet 136.1.122.125 255.255.255.255 outside” should be sufficient.

  29. Glenn Wylie says:

    Using ASDM

    import client server plug-in ssh/telnet to ASA
    configure bookmark list using ssh/telnet plugin
    assign bookmark list to defgrpolicy
    enable clientless ssl vpn on outside

    https://asa-ip
    select ssh/telnet from address drop-down

  30. Kalyan says:

    First using telnet from outside interface is not recommented because telnet vulnerable as it uses plain text format.
    But If situation demands I think we can configure firewall to allow telnet from outside interface.

    please correct me if I am wrong

    By default all traffic from ouside interface ( sec level 0) is denied unless we configure acls to permit.

    so if I create a ACL that permit telnet from host to the ASA outide interface and also applying the follwing commands telnet will work

    access-l OUTSIDE_IN permit tcp host 136.1.122.125 host 136.1.122.10 eq 23

    note: if above ACL didnt work then use the below ACL
    access-l OUTSIDE_IN permit tcp host 136.1.122.125 host 172.16.16.1 eq 23
    Note: for this ACL to work routing should be there.

    access-g OUTSIDE_IN in interface outside

    aaa authentication telnet console LOCAL

    telnet 136.1.122.125 255.255.255.255 outside

  31. Kalyan says:

    Also need to add inspect telnet in default global policy

 

Leave a Reply

Categories

CCIE Bloggers