• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1623
  • Last Modified:

cannot telnet outside to ASA

I cannot telnet  by IP to interface outside of ASA , but  inside 10.12.2.X can telnet to interface inside

note :-
1-  when ping to there is reply
2-  I used this comment crypto key generate  rsa but still not work :-S
2 - this config content all config just about Telnet

 ASA5520# wr t
: Saved
ASA Version 8.0(4)
hostname ASA5520
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address

interface GigabitEthernet0/2
 nameif inside
 security-level 100
 ip address
interface GigabitEthernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address
ftp mode passive
same-security-traffic permit intra-interface
access-list inside_acl extended permit ip any log
access-list outside_acl extended permit ip any any
access-list outside_acl extended permit ah any any
access-list outside_acl extended permit esp any any
access-list outside_acl extended permit gre any any
access-list 100 remark ****** link to ASA mater *******
access-list 100 extended permit ip
access-list 100 extended permit icmp
access-list 100 extended permit ip host
access-list 100 extended permit icmp host
access-list nonat remark ****** NAT ACL *******
access-list nonat extended permit ip
access-list nonat extended permit ip

pager lines 24
logging asdm informational
mtu outside 1500
mtu dmz 1500
mtu inside 1500
mtu management 1500

no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any dmz
icmp permit any inside
icmp permit any echo inside
icmp permit any echo-reply inside
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1

access-group outside_acl in interface outside
access-group dmz_acl in interface dmz
access-group inside_acl in interface inside
route outside 1
route outside 1

aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL

crypto isakmp nat-traversal 60
telnet inside
telnet inside
telnet inside
telnet outside
telnet management
telnet timeout 5
ssh inside
ssh inside
ssh inside
ssh outside
ssh management
ssh timeout 5
console timeout 0

username admin password eY/fQXw7Ure8Qrz7 encrypted

class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect icmp
service-policy global_policy global
prompt hostname context
: end
  • 2
  • 2
2 Solutions
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
It is by design. You cannot telnet to the firewall interface facing internet. You need to use SSH or VPN.

metaprovAuthor Commented:
but I used SSH Version 1 and 2 i cannot from outside :-S
AS of right now you can only SSH to the outside interface from the host at

Also you need to generate a new general-use key. You can do this from config mode by entering the following command.

crypto key generate rsa general-keys modulus 1024

metaprovAuthor Commented:
thx solve
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Why not award points to me and the other authors answer? In my opinion my comment that your problem to telnet to outside is by design is totally clear.

My suggestion: Award me 500 points or do a point split between me and mpickreign.

Not awarding points when experts takes theie valuable time to answer questions is imho not good behavior. Enough of this and experts like me wont care about answering questions here att EE.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now