telnet an asa from a lan2lan

marco_feramarco_fera Member Posts: 34 ■■□□□□□□□□
in CCNP Security
Hi, I have a lan2lan between my asa 5510 ver 8.3 and another device, see the attached scheme.
The other side would like to reach all my local lan via telnet from their PC-A. They can actually reach the devices inside the lan e.g. 192.168.1.1 and .2 but NOT the .10 that is the ASA itself. Note that I've added the line

telnet 192.168.2.0 255.255.255.0 outside

but nothing.
I wonder if this is a security feature or if I'm doing something wrong.
Thanks
Marco
· Share on FacebookShare on Twitter

Comments

  • powerfoolpowerfool Member Posts: 1,666 ■■■■■■■■□□
    Is telnet even enabled on your ASA? You shouldn't be running it, honestly. And yes, I believe that is part of how the ASA algorithm works... coming in one interface and trying to connect to another.
    2024 Renew: [ ] AZ-204 [ ] AZ-305 [ ] AZ-400 [ ] AZ-500 [ ] Vault Assoc.
    2024 New: [X] AWS SAP [ ] CKA [ ] Terraform Auth/Ops Pro
    · Share on FacebookShare on Twitter
  • marco_feramarco_fera Member Posts: 34 ■■□□□□□□□□
    powerfool wrote: »
    Is telnet even enabled on your ASA? You shouldn't be running it, honestly.

    I agree, but this is the customer's wish :)

    powerfool wrote: »
    And yes, I believe that is part of how the ASA algorithm works... coming in one interface and trying to connect to another.

    You mean that it should be possible? or that it should not be permitted and I'm observing the normal behaviour?
    · Share on FacebookShare on Twitter
  • burbankmarcburbankmarc Member Posts: 460
    From what I understand is you cannot reach the inside interface from the outside, or the outside interface from the inside.
    · Share on FacebookShare on Twitter
  • powerfoolpowerfool Member Posts: 1,666 ■■■■■■■■□□
    burbankmarc wrote: »
    From what I understand is you cannot reach the inside interface from the outside, or the outside interface from the inside.

    Affirmative.
    2024 Renew: [ ] AZ-204 [ ] AZ-305 [ ] AZ-400 [ ] AZ-500 [ ] Vault Assoc.
    2024 New: [X] AWS SAP [ ] CKA [ ] Terraform Auth/Ops Pro
    · Share on FacebookShare on Twitter
  • SteveO86SteveO86 Member Posts: 1,423
    Might need a specific ACL to allow that.. Since PC-A is on the untrusted side..

    But I would continue the argument with the customer, managing an ASA firewall in a insecure manner (from the untrusted side none-the-less) just contradicts the purpose of having the ASA if the credentials can be sniffed off the network in clear text..

    Putty is a free SSH client so I can't image any excuse why telnet should be used for any type of management.
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
    · Share on FacebookShare on Twitter
  • millworxmillworx Member Posts: 290
    Hi Marco,

    On the ASA, telnet will never be reachable on the ASA via the outside. It was designed this way since telnet is not secured communication. The only thing that will work is SSH. or Telnet from the inside.

    use this instead.

    ssh 192.168.2.0 255.255.255.0 outside
    Currently Reading:
    CCIE: Network Security Principals and Practices
    CCIE: Routing and Switching Exam Certification Guide
    · Share on FacebookShare on Twitter
  • marco_feramarco_fera Member Posts: 34 ■■□□□□□□□□
    Solved! the command was

    management-access inside

    Thanks
    · Share on FacebookShare on Twitter
  • marco_feramarco_fera Member Posts: 34 ■■□□□□□□□□
    SteveO86 wrote: »

    But I would continue the argument with the customer, managing an ASA firewall in a insecure manner (from the untrusted side none-the-less) just contradicts the purpose of having the ASA if the credentials can be sniffed off the network in clear text..


    But a lan2lan is supposed to be a protected channel, if I use an unsecure telnet over a secure channel what's the risk?
    · Share on FacebookShare on Twitter
Sign In or Register to comment.