Firewalls - telnet

telnet

telnet

Specify host for firewall console access via Telnet. (Configuration mode.)

[no] telnet ip_address [netmask] [if_name]
clear telnet [ip_address [netmask] [if_name]]
show telnet
telnet timeout minutes
show telnet timeout

Syntax Description

ip_address An IP address of a host or network that can access the firewall Telnet console. If an interface name is not specified, the address is assumed to be on an internal interface. firewall automatically verifies the IP address against the IP addresses specified by the ip address commands to ensure that the address you specify is on an internal interface. If an interface name is specified, firewall only checks the host against the interface you specify.

netmask Bit mask of ip_address. To limit access to a single IP address, use 255 in each octet; for example, 255.255.255.255. If you do not specify netmask, it defaults to 255.255.255.255 regardless of the class of local_ip. Do not use the subnetwork mask of the internal network. The netmask is only a bit mask for the IP address in ip_address.

if_name If IPSec is operating, firewall lets you specify an unsecure interface name, typically, the outside interface. At a minimum, the crypto map command must be configured to specify an interface name with the telnet command.

timeout minutes The number of minutes that a Telnet session can be idle before being closed by firewall. The default is 5 minutes. The range is 1 to 60 minutes.

Usage Guidelines

The telnet command allows you to specify which hosts can access the firewall console with Telnet. You can enable Telnet to the firewall on all interfaces. However, the firewall enforces that all Telnet traffic to the outside interface be IPSec protected. Therefore, to enable Telnet session to the outside interface, configure IPSec on the outside interface to include IP traffic generated by the firewall and enable Telnet on the outside interface.
Up to 16 hosts or networks are allowed access to the firewall console with Telnet, 5 simultaneously. The show telnet command displays the current list of IP addresses authorized to access the firewall. Use the no telnet or clear telnet command to remove Telnet access from a previously set IP address. Use the telnet timeout feature to set the maximum time a console Telnet session can be idle before being logged off by firewall. The clear telnet command does not affect the telnet timeout command duration. The no telnet command cannot be used with the telnet timeout command.
Use the passwd command to set a password for Telnet access to the console. The default is cisco. Use the who command to view which IP addresses are currently accessing the firewall console. Use the kill command to terminate an active Telnet console session.
If the aaa command is used with the console option, Telnet console access must be authenticated with an authentication server.
If you have configured the aaa command to require authentication for firewall Telnet console access and the console login request times out, you can gain access to the firewall from the serial console by entering the pix username and the password that was set with the enable password command.

If you do not specify the interface name, the telnet command adds command statements to the configuration to let the host or network access the Telnet console from all internal interfaces.
When you use the show telnet command, this assumption may not seem to make sense. For example, if you enter the following command without a netmask or interface name.
telnet 192.168.1.1

If you then use the show telnet command, you see that not just one command statement is specified, but all internal interfaces are represented with a command statement:
show telnet 192.168.1.1 255.255.255.255 inside 192.168.1.1 255.255.255.255 intf2 192.168.1.1 255.255.255.255 intf3

The purpose of the show telnet command is that, were it possible, the 192.168.1.1 host could access the Telnet console from any of these internal interfaces. An additional facet of this behavior is that you have to delete each of these command statements individually with the following commands.
no telnet 192.168.1.1 255.255.255.255 inside no telnet 192.168.1.1 255.255.255.255 intf2 no telnet 192.168.1.1 255.255.255.255 intf3

To access the firewall with Telnet from the intf2 perimeter interface, use the following command:
telnet 192.168.1.1 255.255.255.255 int2

The default password to access the firewall console via Telnet is cisco.
Some Telnet applications such as the Windows 95 or Windows NT Telnet sessions may not support access to the firewall unit's command history feature via the arrow keys. However, you can access the last entered command by pressing Ctrl-P.
The telnet timeout command affects the next session started but not the current session.
If you connect a computer directly to the inside interface of the firewall with Ethernet to test Telnet access, use a cross-over cable and the computer must have an IP address on the same subnet as the inside interface. The computer must also have its default route set to be the inside interface of the firewall.
If you need to access the firewall console from outside the firewall, you can use a static and access-list command pair to permit a Telnet session to a Telnet server on the inside interface, and then from the server to the firewall. In addition, you can attach the console port to a modem but this may add a security problem of its own. You can use the same terminal settings as for HyperTerminal.
If you have IPSec configured, you can access the firewall console with Telnet from outside the firewall. Once an IPSec tunnel is created from an outside host to the firewall, you can access the console from the outside host.
Output from the debug crypto ipsec, debug crypto isakmp, and debug ssh commands do not display in a Telnet or SSH console session. For information about the debug crypto ipsec and debug crypto isakmp commands, refer to the debug command page.

Examples

The following examples permit hosts 192.168.1.3 and 192.168.1.4 to access the firewall console via Telnet. In addition, all the hosts on the 192.168.2.0 network are given access:

telnet 192.168.1.3 255.255.255.255 inside
telnet 192.168.1.4 255.255.255.255 inside
telnet 192.168.2.0 255.255.255.0 inside
show telnet
192.168.1.3 255.255.255.255 inside
192.168.1.4 255.255.255.255 inside
192.168.2.0 255.255.255.0 inside

You can remove individual entries with the no telnet command or all telnet command statements with the clear telnet command:

no telnet 192.168.1.3 255.255.255.255 inside
show telnet
192.168.1.4 255.255.255.255 inside
192.168.2.0 255.255.255.0 inside
clear telnet
show telnet

You can change the maximum session idle duration as follows:

telnet timeout 10
show telnet timeout
telnet timeout 10 minutes

An example Telnet console login session appears as follows (the password does not display when entered):

PIX passwd: cisco

Welcome to the firewall
Type help or `?' for a list of available commands.
pixfirewall>

ip_address	An IP address of a host or network that can access the firewall Telnet console. If an interface name is not specified, the address is assumed to be on an internal interface. firewall automatically verifies the IP address against the IP addresses specified by the ip address commands to ensure that the address you specify is on an internal interface. If an interface name is specified, firewall only checks the host against the interface you specify.
netmask	Bit mask of ip_address. To limit access to a single IP address, use 255 in each octet; for example, 255.255.255.255. If you do not specify netmask, it defaults to 255.255.255.255 regardless of the class of local_ip. Do not use the subnetwork mask of the internal network. The netmask is only a bit mask for the IP address in ip_address.
if_name	If IPSec is operating, firewall lets you specify an unsecure interface name, typically, the outside interface. At a minimum, the crypto map command must be configured to specify an interface name with the telnet command.
timeout minutes	The number of minutes that a Telnet session can be idle before being closed by firewall. The default is 5 minutes. The range is 1 to 60 minutes.