Telnet connections to the ASA are not allowed on the least secure interface (usually the outside interface), unless the host is connecting via an IPSec tunnel. To permit a host to Telnet into the ASA via a VPN tunnel that terminates on the outside interface, you can specify another interface for management access. For example, to allow an external VPN user to telnet into the inside interface:
ciscoasa(config)# management-access inside
For example, my pet ASA is set up for VPN access to the outside interface. When the VPN client tunnels into the ASA’s outside interface, it gets an IP address of 5.5.5.50 from the VPN pool. However, when the VPN client tries to telnet into the ASA’s inside interface at 5.5.5.1, the usual telnet login prompt does not come up. This is what is configured on the ASA:
ciscoasa(config)# sh ru telnet telnet 192.168.3.0 255.255.255.0 inside telnet 5.5.5.2 255.255.255.255 inside telnet timeout 60
Ah, we need to permit 5.5.5.50 to telnet into the ASA.
ciscoasa(config)# telnet 5.5.5.50 255.255.255.255 inside
Now the telnet session from the VPN client succeeds.
ciscoasa(config)# who 0: 5.5.5.50
Additional Information:
Telnet command in the Cisco ASA 8.4 Command Reference.