telnet an asa from a lan2lan

Hi, I have a lan2lan between my asa 5510 ver 8.3 and another device, see the attached scheme.
The other side would like to reach all my local lan via telnet from their PC-A. They can actually reach the devices inside the lan e.g. 192.168.1.1 and .2 but NOT the .10 that is the ASA itself. Note that I've added the line

telnet 192.168.2.0 255.255.255.0 outside

but nothing.
I wonder if this is a security feature or if I'm doing something wrong.
Thanks
Marco

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

powerfool

Is telnet even enabled on your ASA? You shouldn't be running it, honestly. And yes, I believe that is part of how the ASA algorithm works... coming in one interface and trying to connect to another.

marco_fera

powerfool wrote: »

Is telnet even enabled on your ASA? You shouldn't be running it, honestly.

I agree, but this is the customer's wish

powerfool wrote: »

And yes, I believe that is part of how the ASA algorithm works... coming in one interface and trying to connect to another.

You mean that it should be possible? or that it should not be permitted and I'm observing the normal behaviour?

burbankmarc

From what I understand is you cannot reach the inside interface from the outside, or the outside interface from the inside.

powerfool

burbankmarc wrote: »

From what I understand is you cannot reach the inside interface from the outside, or the outside interface from the inside.

Affirmative.

SteveO86

Might need a specific ACL to allow that.. Since PC-A is on the untrusted side..

But I would continue the argument with the customer, managing an ASA firewall in a insecure manner (from the untrusted side none-the-less) just contradicts the purpose of having the ASA if the credentials can be sniffed off the network in clear text..

Putty is a free SSH client so I can't image any excuse why telnet should be used for any type of management.

millworx

Hi Marco,

On the ASA, telnet will never be reachable on the ASA via the outside. It was designed this way since telnet is not secured communication. The only thing that will work is SSH. or Telnet from the inside.

use this instead.

ssh 192.168.2.0 255.255.255.0 outside

marco_fera

Solved! the command was

management-access inside

Thanks

marco_fera

SteveO86 wrote: »

But I would continue the argument with the customer, managing an ASA firewall in a insecure manner (from the untrusted side none-the-less) just contradicts the purpose of having the ASA if the credentials can be sniffed off the network in clear text..

But a lan2lan is supposed to be a protected channel, if I use an unsecure telnet over a secure channel what's the risk?