cannot telnet outside to ASA

I cannot telnet  by IP 20.20.20.3 to 20.20.20.2 interface outside of ASA , but  inside 10.12.2.X can telnet to 10.12.2.1 interface inside

note :-
1-  when 20.20.20.3 ping to 20.20.20.2 there is reply
2-  I used this comment crypto key generate  rsa but still not work :-S
2 - this config content all config just about Telnet

 ASA5520# wr t
: Saved
:
ASA Version 8.0(4)
!
hostname ASA5520
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 20.20.20.2 255.255.255.0
!

!
interface GigabitEthernet0/2
 nameif inside
 security-level 100
 ip address 10.12.2.1 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown    
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list inside_acl extended permit ip 10.12.2.0 255.255.255.0 any log
access-list outside_acl extended permit ip any any
access-list outside_acl extended permit ah any any
access-list outside_acl extended permit esp any any
access-list outside_acl extended permit gre any any
access-list 100 remark ****** link to ASA mater *******
access-list 100 extended permit ip 10.12.2.0 255.255.255.0 10.12.5.0 255.255.255.0
access-list 100 extended permit icmp 10.12.2.0 255.255.255.0 10.12.5.0 255.255.255.0
access-list 100 extended permit ip host 10.12.3.3 10.12.5.0 255.255.255.0
access-list 100 extended permit icmp host 10.12.3.3 10.12.5.0 255.255.255.0
access-list nonat remark ****** NAT ACL *******
access-list nonat extended permit ip 10.12.2.0 255.255.255.0 10.12.5.0 255.255.255.0
access-list nonat extended permit ip 10.12.2.0 255.255.255.0 10.12.3.0 255.255.255.0

pager lines 24
logging asdm informational
mtu outside 1500
mtu dmz 1500
mtu inside 1500
mtu management 1500

no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any dmz
icmp permit any inside
icmp permit any echo inside
icmp permit any echo-reply inside
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.12.2.0 255.255.255.0

access-group outside_acl in interface outside
access-group dmz_acl in interface dmz
access-group inside_acl in interface inside
route outside 0.0.0.0 0.0.0.0 20.20.20.1 1
route outside 80.79.144.11 255.255.255.255 20.20.20.1 1

aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL

 
crypto isakmp nat-traversal 60
telnet 10.12.2.0 255.255.255.0 inside
telnet 10.12.2.2 255.255.255.255 inside
telnet 10.12.2.3 255.255.255.255 inside
telnet 20.20.20.3 255.255.255.255 outside
telnet 192.168.1.2 255.255.255.255 management
telnet timeout 5
ssh 10.12.2.0 255.255.255.0 inside
ssh 10.12.2.2 255.255.255.255 inside
ssh 10.12.2.3 255.255.255.255 inside
ssh 20.20.20.3 255.255.255.255 outside
ssh 192.168.1.2 255.255.255.255 management
ssh timeout 5
console timeout 0

username admin password eY/fQXw7Ure8Qrz7 encrypted

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:dfabc417a306218c13c696402c354191
: end
metaprovAsked:
Who is Participating?
 
Jimmy Larsson, CISSP, CEHConnect With a Mentor Network and Security consultantCommented:
It is by design. You cannot telnet to the firewall interface facing internet. You need to use SSH or VPN.

/Kvistofta
0
 
metaprovAuthor Commented:
but I used SSH Version 1 and 2 i cannot from outside :-S
0
 
mpickreignConnect With a Mentor Commented:
AS of right now you can only SSH to the outside interface from the host at 20.20.20.3.

Also you need to generate a new general-use key. You can do this from config mode by entering the following command.

crypto key generate rsa general-keys modulus 1024

0
 
metaprovAuthor Commented:
thx solve
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Why not award points to me and the other authors answer? In my opinion my comment that your problem to telnet to outside is by design is totally clear.

My suggestion: Award me 500 points or do a point split between me and mpickreign.

Not awarding points when experts takes theie valuable time to answer questions is imho not good behavior. Enough of this and experts like me wont care about answering questions here att EE.

/Kvistofta
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.