Telnet Problems

[wdelaney]

I have a PIX 506 and I need to let someone telnet through to a servers port 23. There are two access list already in the PIX neither allows for telnet 23 to the server that I can see. Do I need to modify the access list? What would the command line look like?

Any help is appreciated.

Will

 

[KiscoKid]

Command structure on the PIX is:

access-list acl_outside permit tcp any a.b.c.d eq 23

where acl_outside is the acl applied to the outside interface (you can verify with the 'show access-group' command)

and

a.b.c.d is the real IP address of the internal host you want to allow telnet access to.

Note you will need to setup NAT for this to work also. Such as:

static (inside, outside) a.b.c.d a.b.c.d 255.255.255.255

This maps the inside server's IP address to itself.

 

[wdelaney]

I added the ACL but still cannot telnet. Attached is a sample of the PIX configuration..(66.0.0.0 represents my public Ip address) Please Help!

no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list vpnacl permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit gre any any
access-list 101 permit tcp any host 66.0.0.0 eq ftp
access-list 101 permit tcp any host 66.0.0.0 eq ftp-data
access-list 101 permit tcp any host 66.0.0.0 eq www
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any host 192.168.1.10 eq telnet
pager lines 24
logging on
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside 66.0.0.0 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.1.29-192.168.1.30
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 0 access-list vpnacl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp 192.168.1.11 ftp netmask 255.255.255.2
55 0 0
static (inside,outside) tcp interface

http://www 192.168.1.35

http://www netmask

255.255.255.2
55 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 66.0.0.0 1

 

[KiscoKid]

You still need to NAT the telnet host (192.168.1.10) to something on the outside interface.

I see you've deployed port forwarding, so you could also add to your port forwarding rules as such:

static (inside,outside) tcp interface 23 192.168.1.10 23 netmask 255.255.255.255 0 0

Thus anyone telnetting to the outside int of the PIX 66.x.x.x (shouldnt affect management traffic as ppl should be using ssh anyway) should get redirected to 192.168.1.10

 

[wdelaney]

Thank you for your help KiscoKid! Based on my config which way would you go Nat or port forwarding?

 

[KiscoKid]

Depends. If you only have one public IP, port forwarding seems the way forward. If you have multiple public IPs available, you could use static NAT instead such as follows:

static (inside,outside) 66.0.0.2 192.168.1.10 netmask 255.255.255.255 0 0

 

[wdelaney]

Ok, You da man!
I am able to telnet in via the VPN using the inside address. The question is how to make this happen without using the VPN tunnel! Would you please take a look at the current config and tell me what I am missing. I need to be able to telnet in with out a vpn connection. Is that possible or to risky?

Thanks Again,


access-list vpnacl permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit gre any any
access-list 101 permit tcp any host 66.0.0.0 eq ftp
access-list 101 permit tcp any host 66.0.0.0 eq ftp-data
access-list 101 permit tcp any host 66.0.0.0 eq www
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any host 192.168.1.10 eq telnet
pager lines 24
logging on
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside 66.0.0.0 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.1.29-192.168.1.30
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 0 access-list vpnacl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp 192.168.1.10 ftp netmask 255.255.255.2
55 0 0
static (inside,outside) tcp interface

http://www 192.168.1.35

http://www netmask

255.255.255.2
55 0 0
static (inside,outside) tcp interface telnet 192.168.1.10 telnet netmask 255.255
.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 66.0.0.0. 1