Telnet connections to the ASA are not allowed on the least secure interface (usually the outside interface), unless the host is connecting via an IPSec tunnel. To permit a host to Telnet into the ASA via a VPN tunnel that terminates on the outside interface, you can specify another interface for management access. For example, to allow an external VPN user to telnet into the inside interface:
ciscoasa(config)# management-access inside
For example, my pet ASA is set up for VPN access to the outside interface. When the VPN client tunnels into the ASA’s outside interface, it gets an IP address of 18.104.22.168 from the VPN pool. However, when the VPN client tries to telnet into the ASA’s inside interface at 22.214.171.124, the usual telnet login prompt does not come up. This is what is configured on the ASA:
ciscoasa(config)# sh ru telnet telnet 192.168.3.0 255.255.255.0 inside telnet 126.96.36.199 255.255.255.255 inside telnet timeout 60
Ah, we need to permit 188.8.131.52 to telnet into the ASA.
ciscoasa(config)# telnet 184.108.40.206 255.255.255.255 inside
Now the telnet session from the VPN client succeeds.
ciscoasa(config)# who 0: 220.127.116.11