Cisco ASA: Configuring Telnet April 8
In order to add Telnet access to the console and set the idle timeout, issue the telnet command in global configuration mode. By default, Telnet sessions that are left idle for five minutes are closed by the security appliance. In order to remove Telnet access from a previously set IP address, use the no form of this command.
telnet {{hostname | IP_address mask interface_name} | {IPv6_address interface_name} | {timeout number}}
no telnet {{hostname | IP_address mask interface_name} | {IPv6_address interface_name} | {timeout number}}
The telnet command lets you specify which hosts can access the security appliance console with Telnet. You can enable Telnet to the security appliance on all interfaces. But, the security appliance enforces that all Telnet traffic to the outside interface be protected by IPsec. In order to enable a Telnet session to the outside interface, configure IPsec on the outside interface to include IP traffic that is generated by the security appliance and enable Telnet on the outside interface.
Note: It is not recommended to access the security appliance through a Telnet session. The authentication credential information, such as password, is sent as clear text. The Telnet server and client communication happens only with the clear text. Cisco recommends to use SSH for a more secured data communication.
If you enter an IP address, you must also enter a netmask. There is no default netmask. Do not use the subnetwork mask of the internal network. The netmask is only a bit mask for the IP address. In order to limit access to a single IP address, use 255 in each octet; for example, 255.255.255.255.
If IPsec operates, you can specify an unsecure interface name, which is typically the outside interface. At a minimum, you can configure the crypto map command in order to specify an interface name with the telnet command.
Issue the password command in order to set a password for Telnet access to the console. The default is cisco. Issue the who command in order to view which IP addresses currently access the security appliance console. Issue the kill command in order to terminate an active Telnet console session.
In order to enable a Telnet session to the inside interface, review these examples:
Example 1
This example permits only the host 10.1.1.1 to gain access to the security appliance console through Telnet:
pix(config)#telnet 10.1.1.1 255.255.255.255 inside
Example 2
This example permits only the network 10.0.0.0/8 to gain access to the security appliance console through Telnet:
pix(config)#telnet 10.0.0.0 255.0.0.0 inside
Example 3
This example allows all networks to gain access to the security appliance console through Telnet:
pix(config)#telnet 0.0.0.0 0.0.0.0 inside
If you use the aaa command with the console keyword, the Telnet console access must be authenticated with an authentication server.
Note: If you have configured the aaa command in order to require authentication for the security appliance Telnet console access and the console login request times out, you can gain access to the security appliance from the serial console. In order to do this, enter the security appliance username and the password that is set with the enable password command.
Issue the telnet timeout command in order to set the maximum time that a console Telnet session can be idle before it is logged off by the security appliance. You cannot use the no telnet command with the telnet timeout command.
This example shows how to change the maximum session idle duration:
hostname(config)#telnet timeout 10 hostname(config)#show running-config telnet timeout telnet timeout 10 minutes