Trying to understand TELNET command

telnet 0 0 inside
telnet 192.168.3.0 255.255.255.0
telnet 192.168.3.25 255.255.255.255
the first comand will allow telnet from any host...the second command will allow telenet
from that subnet....the third command will allow telnet only from that specific host from inside my network...
Am i corrrect in my assumption?
Now what command will enable (allow)telent to PIX's outside interface(i understand it is not the  ideal setup)? lets assume  public ip for outside interface is 200.200.200.201
If i have an exchange server inside firewall and for troubleshooting i had to allow telenet
into Exchange server do i need to configure ACL and Static for the exchange ip address?

I need to learn pix like it was yesterday and will have to ask a few questions so i will keep
them simple . I appreciate your help.
LVL 26
VahikAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

decoleurCommented:
you wrote:

telnet 0 0 inside
telnet 192.168.3.0 255.255.255.0
telnet 192.168.3.25 255.255.255.255
the first command will allow telnet from any host...the second command will allow telnet
from that subnet....the third command will allow telnet only from that specific host from inside my network...
Am i correct in my assumption?

No you almost got one out of three
the format should be:
command IP mask interface
for any inside try:

telnet 0.0.0.0 0.0.0.0 inside

from http://www.netcraftsmen.net/welcher/papers/pix02.html
If you wish to allow telnet to the PIX, you need to configure which hosts are allowed in. To allow a single host to telnet in via the inside interface:

    telnet 10.1.1.100 255.255.255.255 inside

To allow any station on subnet 10.1.1.0 /24 to telnet in via the inside interface:

    telnet 10.1.1.0 255.255.255.0 inside

If you have a host on the management segment that is allowed to telnet to the PIX, you might also want:

    telnet 10.2.2.100 255.255.255.255 management

If you have a device that you want to telnet into your outside interface that had the IP address 12.200.100.3, you might try:

   telnet 12.200.100.3 255.255.255.255. outside

to allow someone to telnet to your exchange server you just need to open up an ACL on the public IP that is translated to your exchange server, there are many ways that you can configure this you should look at the sample config for setting up a single network from: http://www.cisco.com/warp/public/110/single-net.shtml and add telnet to the ACL
access-list 100 permit tcp any host 204.69.198.4 eq telnet


also check out the pix configuration examples at cisco: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

HTH

-t
VahikAuthor Commented:
decoleur thanks for ur response. If i understand you correctly by mentioning INSIDE,DMZ
or MANAGEMENT  we are specifying the direction that TELNET is comming from and has
nothing to do with INSIDE or OUTSIDE interfaces....and if you ommit interface_name
TELNET will be allowed to PIX from anywhere inside your network..

Now the reason i asked for clarification regarding TELNET to  PIX's OUTSIDE interface  from outside was i read that it was not possible to TELNET in to your PIX's outside interface from outside??? and if so how can i TELNET in to my Exchange server if i only had one static ip assigned to me by my  ISP??? even if i were to use ACL...
i am confused but i hope i do not confuse you...
decoleurCommented:
learn something new, in my example INSIDE, DMZ, and MANAGEMENT are all interface names.

I am still not quite sure, but my thinking is that if it works when you leave off the interface name you will apply the access to all interfaces with a security level of 100.

just because you are not able to telnet to the pix, does not mean that you cannot telnet through the pix.

If you only have one static IP address you must do a combination of NAT or PAT and a static translation.

look at http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

stay away from conduits as they are being deprecated.

HTH

-t

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

nodiscoCommented:
Vahik
You can use telnet to the outside address of a PIX but it requires IPsec being setup to protect it - generally people will use ssh to connect to the outside interface :
ssh x.x.x.x 255.255.255.255 outside
(where x.x.x.x is the public ip address of the client you wish to allow in)

If you have just one static ip and are using PAT, you ned to use port redirection to accomplish telnet to the exchange server.

To check if you are using PAT - look for the line
global (outside) 1 interface
#the number 1 may be different - it will match the inside nat pool

If you are using PAT, enter the command:
static (inside, outside) tcp interface telnet [inside ip address of exchange server] telnet netmask 255.255.255.255 0 0
#This will redirect telnet attempts to your PIX outside address (the interface) to the inside ip address of the exchange server.

clear xlate
#clears static translation table

access-list 101 permit tcp any host [PIX outside ip address] eq telnet
#Creates access list to allow telnet to the PIX

access-group 101 in interface outside
#Applies it to the outside interface

Hope this helps
nodiscoCommented:
Ps - as per decoleur - avoid conduits....no longer supported after 6.3(4)

VahikAuthor Commented:
Thanks folks ...appreciate your help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.