Telnet
Telnet is one of the simplest means to affix to a arrangement device.Telnet is character
based and sends anniversary appearance in bright argument beyond the network.This means
that any username and countersign are accessible to anyone who has a way to capture
packets. As you ability imagine, this vulnerability leads to a actual ample aegis risk
in managing the PIX beyond a WAN link, the Internet, or alike on a LAN.This is
an accomplished acumen to configure and use SSH instead of Telnet.
NOTE
The Cisco PIX firewall can alone be a Telnet server and not a Telnet client.
This is clashing Cisco routers and switches, on which you can Telnet from
one arrangement to the next.
To configure Telnet on the PIX firewall, use the afterward command.
telnet
The ip_address constant can be a distinct IP host or an absolute range.The
netmask constant is a subnet affectation associated with the IP abode or range.The
interface constant specifies the interface name you appetite to accredit Telnet on. In
the afterward example, we accept configured the absolute 192.168.50.0/24 network
on the central interface to be accustomed to Telnet to the PIX:
PIX1(config)# telnet 192.168.50.0 255.255.255.0 inside
There are some restrictions on Telnet depending on the interface you use.
The central interface allows Telnet after encryption, admitting encryption
(through VPN) is bare for the alfresco interface.You can set the abandoned timeout
value for the Telnet session.The abeyance amount is defined in account and must
be a amount from 1 to 60.The absence abeyance is 5 minutes. In this example, we
configure the abeyance to 15 minutes:
www.syngress.com
Configuring Arrangement Management • Chapter 6 315
PIX1(config)# telnet abeyance 15
The appearance telnet command shows the accepted account of IP addresses and their
interfaces that are accustomed to admission the PIX via Telnet. For example:
PIX1# appearance telnet
192.168.50.0 255.255.255.0 inside
The bright telnet or no telnet commands abolish the Telnet advantage from an
authorized IP address.The architecture for this command is:
clear telnet [
The ip_address constant is the subnet or host IP that you appetite to clear.The
netmask constant is a subnet affectation associated with the IP abode or range.The
interface constant is the name of the interface that had this Telnet host or subnet
IP enabled. For example:
PIX1(config)# bright telnet 192.168.50.0 255.255.255.0 inside
If no ambit are specified, the bright telnet command will abolish admission for
all hosts.
The who command shows you which IP addresses currently accept Telnet
sessions accessible to the PIX.This archetype shows two Telnet sessions, one from
192.168.50.3 and the added from 192.168.50.8:
PIX1# who
0: 192.168.50.3
1: 192.168.50.8
The annihilate
warning is accustomed the user aback the affair is dropped.The telnet_id parameter
specifies the affair cardinal that is apparent aback you use the who command. For
example:
PIX1# annihilate 0
Restrictions
Before PIX software adaptation 5.0, you could alone Telnet to the PIX from the
inside interface.With PIX OS 5.0 and after versions, you can Telnet to any interface,
but the PIX firewall requires all Telnet cartage to the alfresco interface to be
protected application encryption. It is accessible to use admission lists and a changeless avenue to
pass a Telnet affair through the Cisco PIX from the alfresco interface to a Telnet
www.syngress.com
316 Chapter 6 • Configuring Arrangement Management
server on the central and again use the Telnet server to Telnet aback to the inside
interface. However, it is abundant easier to use SSH to accessible a CLI affair to the
outside interface of the firewall.This meets the Cisco PIX claim of using
an encrypted affiliation for the Telnet session.You can use Telnet to an outside
interface over an encrypted VPN session.