• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 586
  • Last Modified:

PIX 515E open telnet from outside to inside server

I have a PIX 515E firewall

ip address assigned to inside interface is 192.168.10.40 255.255.255.0
ip address assigned to outside interface is 214.214.214.215 255.255.255.240
the telnet server on the inside is 192.168.10.46
router addr of isp is 214.214.214.214
inside router is 192.168.10.1

what i need is the full configuration for me to be able to telnet to 192.168.10.46 from outside


thanks
0
dr1fter
Asked:
dr1fter
  • 7
  • 6
  • 3
  • +1
2 Solutions
 
grbladesCommented:
Hi dr1fter,
I will be happy to give you the commands to configure it however first I suggest that you use ssh instead as it is far more secure. There is a free windows ssh client called 'putty' and it comes as standard on Linux systems.
0
 
lrmooreCommented:
Agree that SSH would be more secure, but since that's not what you asked...
/-- first create a static port redirect
   static (inside,outside) tcp 192.168.10.46 23 214.214.214.215 23 netmask 255.255.255.255

/-- next create an access-lst entry to permit traffic.
   access-list ouside_access_in permit tcp any host 214.214.214.215 eq 23

/-- always re-apply the acl any time you change anything
   access-group outside_access_in in interface outisde

Doe
0
 
dr1fterAuthor Commented:
Still not working .. this is the configuration i have
i can't even pint from the pix to the internet gateway
what do you think i am doing wrong

PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100basetx
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password ****** encrypted
passwd ****** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
names
access-list acl_out permit icmp any any
access-list outside_access_in permit tcp any host 214.214.214.215 eq telnet
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 214.214.214.215 255.255.255.240
ip address inside 192.168.10.40 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 214.214.214.208 255.255.255.240 0 0
static (inside,outside) tcp 214.214.214.215 telnet 192.168.10.46 telnet netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 214.214.214.214 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
static (inside,outside) tcp 214.214.214.215 telnet 192.168.10.46 telnet netmask 25
5.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 214.214.214.214 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
lrmooreCommented:
You have to add your global, and change your nat:
  no nat (inside) 0 214.214.214.208 255.255.255.240 0 0
  global (outside) 1 interface
  nat (inside) 1 0 0 0
0
 
dr1fterAuthor Commented:
doesn't work even when i removed the nat and added global and nat like you said
something else is wrong
i can't even ping outside

what might be the problem
0
 
lrmooreCommented:
Add this to permit icmp:
   access-list outside_access_in permit icmp any any
0
 
dr1fterAuthor Commented:
can't still..
this is the latest configuration..
with this even i can't ping to outside
i tried a ping to my outside router and no response
please help

PIX Version 6.3(3)
interface ethernet0 10full
interface ethernet1 100full
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password ****** encrypted
passwd ****** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol tftp 69
names
access-list acl_out permit icmp any any
pager lines 24
logging monitor debugging
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 214.214.214.215 255.255.255.240
ip address inside 192.168.10.40 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0  214.214.214.214 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
0
 
lrmooreCommented:
>214.214.214.214
Are these addresses just placeholders for the 'real' public IP's, or are these the actual IP's, used in a test lab?

You have the access-list:
  >access-list acl_out permit icmp any any

You just need to apply it to the interface:
   access-group acl_out in interface outside

0
 
dr1fterAuthor Commented:
yeah .. those are just placeholders

i did that .. but still can't ping
0
 
lrmooreCommented:
Can you post result of "show interface"
>interface ethernet0 10full
Is 10/full the proper setting?
0
 
dr1fterAuthor Commented:
did that too .. still no luck
0
 
jjoseph_xCommented:
If your next hop router permits ICMP, from the pix you should try:

ping outside <address_of_router>

Actually, you could also try: ping outside <64.233.167.99>  (which is www.google.com) and see if that gives you a response.  That will make you attempt a ping using the outside (public) interface of the PIX (by-passing any potential problems with NATing), so as long as the router is set correctly (along with the outside interface having the right IP and subnet mask), that SHOULD work.

Also, and I know that this is silly, check to make sure that LED for the outside interface is lit-up on the PIX (if not you might have a problem with the cable).

If the pinging doesn't work, either you've got a router problem or an addressing problem, or a problem with your PIX.

You can find-out if it's a problem with the PIX by unplugging the outside interface, and plugging a host (any old computer would do) in its place and setting-up its network card with the router settings and outside interface config (address + subnet) that you have for the PIX.  Then trying pinging 64.233.167.99 and the router and see what that gives you.

If the pings fail, then you've narrowed the problem down to your router or to your IP address/subnet (in either case you'd need to speak with your ISP).  If the pings work, then something might be physically wrong with the PIX (since from you show in, it doesn't list the outside interface as being in shutdown).

If you want test the PIX, plug the outside interface into a hub or a switch and give it an local (private) IP address/subnet.  Then plug another host into the hub or switch and trying to ping the outside interface on the PIX.

I hope that was helpful.

0
 
dr1fterAuthor Commented:
Okay .. got it to ping outside.
You were right .. it was the cable.
Now back to the original task of telnet to a host inside from the outside. This is what i have done. But it says connect failed.


PIX Version 6.3(3)
interface ethernet0 10full
interface ethernet1 100full
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password ****** encrypted
passwd ****** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
names
access-list outside_access_in permit tcp any host 214.214.214.215 eq telnet
access-list outside_access_in permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 214.214.214.215 255.255.255.240
ip address inside 192.168.10.40 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 214.214.214.215 telnet 192.168.10.46 telnet netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 214.214.214.214 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
0
 
jjoseph_xCommented:
Hmmm.

Do you have only one public IP address or do you have a few of them?  I could be (and probably am wrong), but I think that I remember something about the PIXes not permitting telnet on the IP of the outside interface (for instance I couldn't use a telnet 0.0.0.0 0.0.0.0 outside command).

If you have another IP (like 214.214.214.216) try using that for your access list and static NAT

so the access-list would be:
access-list outside_access_in permit tcp any host 214.214.214.216 eq telnet

and for the static, you don't need to specify the 'tcp' nor the ports unless you want to do a port translation... so it'd look like this:

static (inside,outside) 214.214.214.216 192.168.10.46 netmask 255.255.255.255 0 0

Give that a shot and see what happens.

0
 
dr1fterAuthor Commented:
still can't telnet to server inside 192.168.10.46
i read from some post that i have to have the telnet servers gateway given as the pix
do i have to?


access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host 214.214.214.216 eq telnet
ip address outside 214.214.214.215 255.255.255.240
ip address inside 192.168.10.40 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 214.214.214.216 192.168.10.46 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 214.214.214.214 1
0
 
lrmooreCommented:
> i have to have the telnet servers gateway given as the pix
do i have to?
Absolutely! Your server's default gateway must be set to the PIX inside IP..
0
 
jjoseph_xCommented:
Actually, the telnet server's default gateway doesn't have to be the PIX (as long as its on the same subnet as the PIX's inside interface and doesn't have any funky routing tables that make it unable to communicate with the PIX).

The default gateway is only used when a host can't find a route to another host (when they're on different subnets and no other routes exist).

Still give Irmoore's suggestion a shot and see what happens.  If that doesn't work, then maybe you should change the access-list to connect to a different machine via another port (like HTTP) to see if just a problem connect to that one telnet server or if none of the static NATs work at all.

BTW, how are you testing the telnet connection?  From a host on the internet outside of the firewall?

0

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

  • 7
  • 6
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now