After returning from vacation, Bob (the optimistic firewall technician) decided that he wanted to take some time and get a little bit more familiar with firewall configuration. He was able to get permission to use some spare equipment for practice.



He started with a basic configuration on the firewall:

hostname INEASA1
password cisco
enable password cisco

interface e0/1
 nameif inside
 no shut
 ip address
 security-level 90

interface e0/0
 nameif outside
 ip address
 security-level 10
 no shut

Bob verified that he could ping both R1 and his PC from the Firewall. Now, he wants to configure the firewall to allow telnet from his PC. He remembers that there was some additional configuration that needed to be done on the firewall to allow this to work, but doesn’t remember exactly what is needed. Since his PC isn’t connected to the internet, he is not able to access the online documentation.

What additional configuration will allow Bob to telnet to the firewall from his PC?

There is more than one possible solution for this challenge. Feel free to post your proposed answer in the comments section. We will try to keep comments hidden from public view, so that the fun isn’t spoiled for others.


OK, so let’s look at the problem here. The PC is on the outside of the firewall, and according to multiple responses, you can’t telnet to the outside interface. (or can you?)

A few helpful hints when studying for the CCIE lab.

1. Don’t be afraid to go to the documentation, even for topics you think you know.
2 Re-read the question, to see just what you are asked to do and what your restrictions are.

So, where does the confusion about being able to telnet to the firewall come from? Perhaps it comes from trying in earlier versions, perhaps some confusion about what the documentation says, or perhaps someone read somewhere in the past that it just wouldn’t work.

Let’s start by carefully re-reading the documentation. ASA – Config guide – system administration – managing system access – allowing telnet

This section states:

“…The security appliance allows Telnet connections to the security appliance for management purposes. You cannot use Telnet to the lowest security interface unless you use Telnet inside an IPSec tunnel. …”

So, it doesn’t explicitly mention the outside, it mentions the “lowest security interface”. In most cases that is the outside, but not always.

A few “solutions”

1. Configure the switch so that Bob’s PC is on VLAN 121 instead of VLAN 122, configure the firewall to allow telnet on the inside interface. (Technically would meet requirements, but not much of a challenge.)

2. Change the security levels for the interfaces, making them the same or making the outside higher.

3. Add another interface with a lower security level

int eth0/1.1
vlan 123
nameif DMZ
sec 9

4. Configure a VPN for the firewall, so that the telnet traffic to the lower security (outside) interface is encrypted and therefore allowed.

5. Configure the firewall to allow transit traffic through to R1. Telnet to R1, and then Telnet to the ASA from R1, after configuring the ASA to allow telnet on the inside interface.

You can leave a response, or trackback from your own site.

31 Responses to “Accessing the Firewall”

  1. Puneet says:

    Telnet on the outside does not work unless it is over a VPN or do an SSH.

    Brainstorming here: Do port redirection on the ASA to redirect telnet sessions to R1 and then telnet to ASA. Allow telnet to ASA from inside/R1.

  2. Joshua Walton says:

    By design, you can’t telnet to a lower security interface unless you use telnet inside an IPSec tunnel.

    I am eager to see your answer if indeed there is another way. Of course, an ACL could be applied on the outside interface inbound to allow telnet THROUGH the appliance, for example to the router; and telnet from it to the inside interface of the ASA, but that’s if the inside interface were set to 100, which its not.

  3. GD says:

    ! allow the telnet connection from higher to lower security-level interface with ACL and apply to the inbound interface with access-group cmd

    access-l OUTSIDE_IN perm tcp host host eq 23
    access-g OUTSIDE_IN in interface outside

  4. Abu Mohammed says:

    telnet outside

  5. Abu Mohammed says:

    telnet outside

  6. Ramachandra says:

    INEASA1#conft t
    INEASA1#(config)#access-list PERMIT_OUT_IN permit tcp host eq telnet
    INEASA1#(config)#access-group PERMIT_OUT_IN in interface outside

    CCIE # 21089

  7. Josh says:

    I think he could permit the tcp 23 on the ASA outside interface ,let the PC telnet Router 1 ande then he could telnet the ASA from inside.

    I know it’s not the direct way to telnet from outside, i have the same question with Bob, i forgot the command line. :)

  8. Syed Khalid Ali says:

    Assuming that the Bob PC IP address is: and located in INSIDE. The proper syntax will be:
    telnet inside

    Also it should be noted that ASA does not allow telnet from outside. Therefore we will need to configure “SSH” to access firewall. I am assuming that the outside IP address for BoB PC is

    username bob password bob
    aaa authentication ssh console LOCAL
    crypto key generate rsa modulus 1024
    ssh version 2
    ssh timeout 1
    ssh outside

  9. Carlos Figueroa says:

    aaa authentication telnet console LOCAL
    telnet outside

  10. Bruno says:

    If you want to TELNET the Firewall’s outside interface you are not allowed to. Why? Because the lowest security level configured on firewall is not allowed to telnet but only ssh. You can try doing “telnet 0 0 outside” but you won’t get any answer.

  11. Maxim says:

    1. You should allow telnet from outside (thanks the interface has security-level set to 10 and we don’t need ipsec to cover telnet trafic):
    telnet 0 0 outside

    2. It’s necessary to create fake outside interface (more correct interface with security level set to 0)
    interface eth2
    nameif fake
    security-level 0

    We even don’t need to set up address and unshutdown it.

    With best regards.

  12. Sean says:

    telnet outside

    aaa authentication telnet console LOCAL

  13. shrek says:

    The ASA will not allow telnet from his PC on the outside interface because it has the lowest security level.

    The only protocol allowed will be ssh.

    To allow telnet, he’ll need to create another interface with a security level less than 10.


    interface e0/2
    nameif DMZ
    no shut
    ip address
    security-level 5

    telnet outside

  14. leilei says:

    cry key generate rsa
    ssh outside
    username admin password wolfcciesec pri 15
    aaa authen ssh console LOCAL

  15. Mike says:

    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    access-list 101 permit ip host host
    crypto map outside_map 10 set peer
    crypto map outside_map 10 set transform-set ESP-3DES-SHA
    crypto map outside_map 10 match access-list 101
    crypto map outside_map enable outside
    telnet outside
    passwd cisco
    enable password cisco

  16. Sumit says:

    1: Allow tcp port 23 using acl on outside
    2: Change the security level of outside interface to be same as inside and then permit traffic between diff interface for same security level

  17. Jaeson Niki says:

    conf t
    interface e0/0
    security-level 91
    telnet outside

  18. Gino says:

    access-list per_tel extended permit tcp any host eq telnet
    access-group per_tel in interface outside

  19. Adjété says:

    First: configure access list on the firewall

    confgure terminal
    access-list acl-inbound permit tcp host host eq 23

    access-group acl-inbound in interface outside

  20. Carlos Figueroa says:

    I miss the username.

    The full configuration is:

    username internetwork password expert privilege 15
    aaa authentication telnet console LOCAL
    telnet outside

  21. Kelvin Dam says:

    I know it aint a configuration example, but real quick – one solution could be to create a remote-access VPN solution for Bob, including encryption of the ASA’s public IP. Through a VPN tunnel, telnet to the ASA is allowed.


  22. James Wilson says:

    First I believe he would have to change the security-level of the outside interface. Because you cannot telnet to the lowest security interface. I believe it would be something like so….
    interface e0/0
    nameif outside
    ip address
    security-level 90
    no shut

    aaa authentication telnet console LOCAL
    telnet outside
    telnet timeout 5
    username bob password bob privilege 15

  23. Andrius Adamavicius says:


    did anyone came up with the solution?

  24. Tommy says:

    He will have to create a static NAT and create an exception to allow the PC to telnet to the router.

    Below is the additional configuration:

    global (outside) 1 interface
    nat (inside) 1
    static (inside, outside) netmask
    access-list out_in permit tcp host host eq 23
    access-group out_in in interface outside

  25. Tommy says:

    Oops. My access-list is actually backwards. It should read as below.

    access-list out_in permit tcp host host eq 23

  26. anonymous says:

    Please help promote security by using secure alternatives like SSH or HTTPS in your examples. Replacing Telnet with SSH and HTTP with HTTPS for management access does not fundamentally change the nature of this type of question.

  27. pitt2k says:

    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption 3des
    isakmp policy 1 hash sha
    isakmp policy 1 group 2
    isakmp policy 1 lifetime 43200

    isakmp enable outside

    ip local pool VPN-POOL

    username admin password cisco123

    crypto ipsec transform-set TSet esp-3des esp-md5-hmac

    tunnel-group RAgroup type ipsec-ra
    tunnel-group RAgroup general-attributes
    address-pool VPN-POOL
    tunnel-group RAgroup ipsec-attributes
    pre-shared-key very-secret-key

    crypto dynamic-map dyn1 1 set transform-set TSet
    crypto dynamic-map dyn1 1 set reverse-route
    crypto map mymap 1 ipsec-isakmp dynamic dyn1
    crypto map mymap interface outside

    telnet inside

    management-access inside

  28. Simas says:

    “telnet outside” should be sufficient.

  29. Glenn Wylie says:

    Using ASDM

    import client server plug-in ssh/telnet to ASA
    configure bookmark list using ssh/telnet plugin
    assign bookmark list to defgrpolicy
    enable clientless ssl vpn on outside

    select ssh/telnet from address drop-down

  30. Kalyan says:

    First using telnet from outside interface is not recommented because telnet vulnerable as it uses plain text format.
    But If situation demands I think we can configure firewall to allow telnet from outside interface.

    please correct me if I am wrong

    By default all traffic from ouside interface ( sec level 0) is denied unless we configure acls to permit.

    so if I create a ACL that permit telnet from host to the ASA outide interface and also applying the follwing commands telnet will work

    access-l OUTSIDE_IN permit tcp host host eq 23

    note: if above ACL didnt work then use the below ACL
    access-l OUTSIDE_IN permit tcp host host eq 23
    Note: for this ACL to work routing should be there.

    access-g OUTSIDE_IN in interface outside

    aaa authentication telnet console LOCAL

    telnet outside

  31. Kalyan says:

    Also need to add inspect telnet in default global policy


Leave a Reply


CCIE Bloggers