We help IT Professionals succeed at work.

Blocking telnet on open ports through Cisco ASA firewall

Meru_IT
Meru_IT used Ask the Experts™
on
Hi, I have a Cisco ASA 5520 firewall and I have opened some TCP ports on it so that clients can connect to some internal servers on these ports. Now I would not want telnet on these open ports to work from outside. For example, if someone wants to telnet on port 80 of my webserver public IP from Internet, it should not connect but I should be able to browse my website from outside using a standard browser.
Please note, I have mentioned port 80 as an example. There are non-standard ports also (>2048) which are open for outside to inside traffic on some servers and I want only the client applcations to connect on these ports.

Thanks...
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
You can't do this by design. If you have opened port for tcp then telnet to that port will open connection, and only the daemon that serves this connection can detect that not real client has connected and disconnect it.

Top Expert 2009

Commented:
By the way, you aren't actually "telnetting" to the device.  You are simply doing a TCP handshake on port 80 (for example) with the server.  The exact same thing that happens when you browse to it.  There is no harm or anyway to differentiate the two methods.

Author

Commented:
Thanks guys. Just want to know out of curiosity - can a firewall or UTM with Application control feature block telnet as a program. Cisco, I know, doesn't ,support that where as lot of UTM boxes do.

Thanks again...
Top Expert 2009
Commented:
Any basic Firewall can block Telnet (port 23).  Remember, when you "telnet to a port", you are doing nothing more than a 3 way TCP handshake with the server on the specified port.

Author

Commented:
The posted question is answered appropriately