telnet an asa from a lan2lan

marco_feramarco_fera Member Posts: 34 ■■□□□□□□□□
Hi, I have a lan2lan between my asa 5510 ver 8.3 and another device, see the attached scheme.
The other side would like to reach all my local lan via telnet from their PC-A. They can actually reach the devices inside the lan e.g. 192.168.1.1 and .2 but NOT the .10 that is the ASA itself. Note that I've added the line

telnet 192.168.2.0 255.255.255.0 outside

but nothing.
I wonder if this is a security feature or if I'm doing something wrong.
Thanks
Marco

Comments

  • powerfoolpowerfool Member Posts: 1,665 ■■■■■■■■□□
    Is telnet even enabled on your ASA? You shouldn't be running it, honestly. And yes, I believe that is part of how the ASA algorithm works... coming in one interface and trying to connect to another.
    2024 Renew: [ ] AZ-204 [ ] AZ-305 [ ] AZ-400 [ ] AZ-500 [ ] Vault Assoc.
    2024 New: [X] AWS SAP [ ] CKA [ ] Terraform Auth/Ops Pro
  • marco_feramarco_fera Member Posts: 34 ■■□□□□□□□□
    powerfool wrote: »
    Is telnet even enabled on your ASA? You shouldn't be running it, honestly.

    I agree, but this is the customer's wish :)

    powerfool wrote: »
    And yes, I believe that is part of how the ASA algorithm works... coming in one interface and trying to connect to another.

    You mean that it should be possible? or that it should not be permitted and I'm observing the normal behaviour?
  • burbankmarcburbankmarc Member Posts: 460
    From what I understand is you cannot reach the inside interface from the outside, or the outside interface from the inside.
  • powerfoolpowerfool Member Posts: 1,665 ■■■■■■■■□□
    From what I understand is you cannot reach the inside interface from the outside, or the outside interface from the inside.

    Affirmative.
    2024 Renew: [ ] AZ-204 [ ] AZ-305 [ ] AZ-400 [ ] AZ-500 [ ] Vault Assoc.
    2024 New: [X] AWS SAP [ ] CKA [ ] Terraform Auth/Ops Pro
  • SteveO86SteveO86 Member Posts: 1,423
    Might need a specific ACL to allow that.. Since PC-A is on the untrusted side..

    But I would continue the argument with the customer, managing an ASA firewall in a insecure manner (from the untrusted side none-the-less) just contradicts the purpose of having the ASA if the credentials can be sniffed off the network in clear text..

    Putty is a free SSH client so I can't image any excuse why telnet should be used for any type of management.
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • millworxmillworx Member Posts: 290
    Hi Marco,

    On the ASA, telnet will never be reachable on the ASA via the outside. It was designed this way since telnet is not secured communication. The only thing that will work is SSH. or Telnet from the inside.

    use this instead.

    ssh 192.168.2.0 255.255.255.0 outside
    Currently Reading:
    CCIE: Network Security Principals and Practices
    CCIE: Routing and Switching Exam Certification Guide
  • marco_feramarco_fera Member Posts: 34 ■■□□□□□□□□
    Solved! the command was

    management-access inside

    Thanks
  • marco_feramarco_fera Member Posts: 34 ■■□□□□□□□□
    SteveO86 wrote: »

    But I would continue the argument with the customer, managing an ASA firewall in a insecure manner (from the untrusted side none-the-less) just contradicts the purpose of having the ASA if the credentials can be sniffed off the network in clear text..


    But a lan2lan is supposed to be a protected channel, if I use an unsecure telnet over a secure channel what's the risk?
Sign In or Register to comment.