Cisco device access

[oddyager]

Can you access a cisco firewall's inside interface if you are coming from the outside interface? As it is now admins within inside network can access the inside i/f for management and remote admins connect to the outside i/f but i want to cut down on the number of routes across our routers and all the outside i/fs have their own network. If I can get everyone to connect via the inside i/f would be great since these routes are already in place. is this possible?

On the device access properties i tried adding the remote site's IP ranges to Inside i/f but no success in connecting in.

 

[jlazzaro]

what device is this? telnet or ssh? most devices disable telnet from the outside interface (even if its configured) because of security implications.

 

[oddyager]

PIX and ASA devices. And access could be either telnet, ssh or http. Outside i/f is enabled but only subnets defined in its ACL are permitted to access. This is fine but I want my remote admins to be able to connect in through to our inside i/f instead if possible without having to first connec to a device inside the LAN. I know by default cisco doesn't allow this but I thought I read somewhere you can.

 

[nightowl]

Which version of code are you running. In the newer versions, there are http, telnet, and ssh specific access-list commands.

 

[ScottMac]

Cisco does not permit, under any circumstance, connecting to the inside interface (i.e., management) via Telnet. It is a security risk.

You can set it up for SSH. On older devices / OS, the best you can do is SSH 1 (called 1.5 by Cisco) which is also not secure (better'n telnet, not nearly as good as SSH v2).

Good Luck

Scott

 

[oddyager]

Originally posted by: nightowl
Which version of code are you running. In the newer versions, there are http, telnet, and ssh specific access-list commands.

7.2 on all of them and using ASDM to make the changes (config -> Properties -> Device Access -> HTTPS/ASDM). I created an access-list through command line as well for all of them as a test and doesn't work still. I figure cisco does not allow telnet or ping (https too?) from outside to inside i/f by default but I thought there was a command to permit this if necessary.

 

[nightowl]

ScottMac, you can telnet to a ASA/PIX inside interface. It is just not turned on by default.

oddyager, I think this can be done, I will have to check on a couple things first.

Edit : You can, here is the link to configure it:

http://www.cisco.com/warp/publ...-inside-out-pix7x.html

 

[ScottMac]

Not from the outside.

The config will "take" but it won't work. Not Telnet, not from the Outside (and possibly, not from the DMZ). This is a stated positon by Cisco, it's too much of a security risk.

If that's changed, so be it, it doesn't make it any smarter to do it. Bad idea. Very Bad Idea.

Good Luck

Scott

 

[Diaonic]

I always left the console cable plugged into a server / workstation whatever and just used RDP to connect to the desktop. Then from the desktop log into the firewall or router.

probably not the best way to do it, but it worked well.

 

[jlazzaro]

Originally posted by: Diaonic
I always left the console cable plugged into a server / workstation whatever and just used RDP to connect to the desktop. Then from the desktop log into the firewall or router.

probably not the best way to do it, but it worked well.

you made me chuckle, sir.

 

[Diaonic]

I'm typically good for that

 

[spidey07]

Originally posted by: Diaonic
I always left the console cable plugged into a server / workstation whatever and just used RDP to connect to the desktop. Then from the desktop log into the firewall or router.

probably not the best way to do it, but it worked well.

*SMACK!*

 

[nightowl]

Now, I am not recommending that this be done, I am only stating that it can be done. You can telnet to the outside interface of an ASA/PIX. This is with the 8.0 code. I am not sure if it has been changed from the 6.x code on the PIX but it does work.

 

[jlazzaro]

6.3(5) and its a no-go on the outside interface. id try 8.0, but i only have 506e's laying around. so, i guess were moving backwards in terms of built in security ;P

 

[nightowl]

Well, it looks like I was wrong on the Telnet. I will not work with the CCO version of the 8.0 code. However, it did work with a pre-release 8.0 version that I had loaded (stuff like that always happens to me). I guess it was enabled for debugging or something, who knows.

 

[p0lar]

PIX/ASA is devil spawn anyway!

/me ducks