Telnet connections to the ASA are not allowed on the least secure interface (usually the outside interface), unless the host is connecting via an IPSec tunnel. To permit a host to Telnet into the ASA via a VPN tunnel that terminates on the outside interface, you can specify another interface for management access. For example, to allow an external VPN user to telnet into the inside interface:
ciscoasa(config)# management-access inside
For example, my pet ASA is set up for VPN access to the outside interface. When the VPN client tunnels into the ASAâ€™s outside interface, it gets an IP address of 18.104.22.168 from the VPN pool. However, when the VPN client tries to telnet into the ASAâ€™s inside interface at 22.214.171.124, the usual telnet login prompt does not come up. This is what is configured on the ASA:
ciscoasa(config)# sh ru telnet telnet 192.168.3.0 255.255.255.0 inside telnet 126.96.36.199 255.255.255.255 inside telnet timeout 60
Ah, we need to permit 188.8.131.52 to telnet into the ASA.
ciscoasa(config)# telnet 184.108.40.206 255.255.255.255 inside
Now the telnet session from the VPN client succeeds.
ciscoasa(config)# who 0: 220.127.116.11