Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Permit 1 internal IP to telnet outside

Status
Not open for further replies.
pointer434

pointer434

IS-IT--Management
Apr 9, 2003
18
US
Hello all,

I have one PC that is vendor supplied that needs to be able to telnet out to the vendor to initiate updates and so on. I have successfully configured telnet to be permitted from the IP of the PC to the PIX but i cant seem to get out and past the PIX with telnet. What i mean by this is that i cannot successfully connect to telnet sites on the net but i can connect to the PIX with this machine.

We are using a PIX 506E.

Could someone please help me with the command that is needed to permit this host to telnet out? I presume that it will be an ACL ?????? That permits port 22????

Thanks for any and all help.

Pointer
 
Sort by date Sort by votes
Actually, it's tcp port 23

access-list inside_outbound permit host <host_ip> host <public_ip> eq 23

If you've used "telnet <addr><mask> inside", that's only to allow telnet access *to* the Pix for management, not *through* the Pix.
 
Upvote 0 Downvote
Oops, forgot the protocol:

access-list inside_outbound permit tcp host <host_ip> host <public_ip> eq 23
 
Upvote 0 Downvote
Thanks for the reply!! I really do appreciate it.

But i really want to understand what is going on here.

My machine can telnet out on 22 or 23. The machine that i need to enable cannot but for the life of me, i cant see in the confing anything that is permiting my machine access.

Also, the actual port that needs to be used is indeed 22 which i assume is ssh but telnet is being used to test it. For instance from my machine, from the command line i can enter in "telnet lrd.avss.ucsb.edu 22" and get through to a free BSD server. On the vendor supplied machine i cannot.

I also assume that i can enter in the command that you gave me and just use the 22 instead of the 23 and or put both in. But what is really pricking my curiosity is WHY mine gets through and no other machine on the network will. I have looked many many times for and acl on my IP and do not see any at all.(Only to allow local telnet access to the PIX for management) Also, the following entry is in the config and this appears to enable outside access using ssh

access-list outside_access_in permit tcp any host xx.xx.xxx.xxx eq ssh

I will put in your suggestion but really really want to know where in the config that my machine is determined to be special.??

So.....

access-list inside_outbound permit tcp host <host_ip> host <public_ip> eq 23

I assume that i will enter this in twice, once for each port or is 23 nessasary when you only want to use 22?

Once again, many thanks for any and all help.

Pointer
 
Upvote 0 Downvote
OK, 22 will work. I thought "typo". You also don't need to permit 23 if you just need 22.

The ACL really might not be needed at all unless outbound traffic is restricted. You said "ACL" so that's the direction I started in.

A more likely case is the absence of proper NAT. Try this:

show nat
show global
show static

These'll tell you the translations that are used. See if there's anything different for your PC than others. Make sure that the vendor's computer is set up within the same address range as yours. Can the vendor get to anything on the Internet?

The default behaviour of the Pix is to allow everything out and replies back in, so http, telnet, etc. should work.

If you type show access-list you'll see the access-lists. You could look for anything suspicious, like special permissions relating to port 22.

 
Upvote 0 Downvote
Thanks for all the help with this one but I figured out what the problem was. Actually it had nothing to do with the PIX config but rather the gateway setting on the PC (and all the other PC's).

See, we use a proxy server that runs an internet content filter on it and I usually set the client machines gateway to the IP if the proxy. If I don’t do that then it becomes very simple for them to bypass the proxy and reach all the wonderful sites that the net has to offer.

Setting the vendor PC's gateway to the PIX IP (this should be the correct setting) enabled the PC to SSH out to the net just fine.

That also explains why my machine was able to telnet or SSH out since I have my work PC setup to use the gateway of the PIX, since I have to bypass the Proxy quite often. There were never any exceptions in the config for my machine but rather by having the PIX gateway i was able to do my thing. DUH...

I am really sorry about tying you up on this one but thanks again for all the help.

BTW, thanks for the show commands, when I ran the “show local” it alerted me to a couple of issues that I was not aware of and I was able to correct some configs on some client machines. Thanks again.

Pointer.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
808
Johnkite
Johnkite
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
683
XLNTech1
XLNTech1
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
287
Russtoleum
Russtoleum
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
764
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top