Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
345
Views
0
Helpful
2
Replies

site-to-site vpn question

Go to solution
danny.garza
Level 1
Level 1

‎05-09-2007 04:40 AM - edited ‎03-11-2019 03:11 AM

how can i manage a remote firewall configured with a site-site vpn? Site A and site B have a site vpn. I am site A and would like to telnet into site B to change some ACL's but can not get into it.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
laurent.geyer
Level 1
Level 1

‎05-09-2007 09:04 AM

First of all I recommend that you do not use telnet to manage your firewall. SSH is significantly more secure and just as easy to use.

That said, there are two ways to accomplish what you want. One is to manage the firewall via the outside interface of firewall B.

Assuming that you have your authentication already setup this would be as simple as applying following configuration to firewall B.

ssh outside

If you have multiple possible source IPs or networks, you can expand the access with multiple such statements.

The second option would be for you to configure what Cisco refers to as management-access.

The management-access command allows you to configure one of your inside interfaces to receive management traffic. This traffic includes, SNMP, ICMP, ADSM and telnet/SSH.

Following command configures a management interface:

management-access

The advantage of that setup is that all of your management traffic can traverse an existing VPN tunnel and the risk of sensitive information being exposed is minimized.

The drawback, you cannot reach your standby firewall should you run in active/standby mode.

Keep in mind that ssh access control has be configured for the management interface as well. Assuming you configured management-access for the inside interface you would have to issue following:

ssh inside

Management access first appeared in 6.x I believe.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
laurent.geyer
Level 1
Level 1

‎05-09-2007 09:04 AM

First of all I recommend that you do not use telnet to manage your firewall. SSH is significantly more secure and just as easy to use.

That said, there are two ways to accomplish what you want. One is to manage the firewall via the outside interface of firewall B.

Assuming that you have your authentication already setup this would be as simple as applying following configuration to firewall B.

ssh outside

If you have multiple possible source IPs or networks, you can expand the access with multiple such statements.

The second option would be for you to configure what Cisco refers to as management-access.

The management-access command allows you to configure one of your inside interfaces to receive management traffic. This traffic includes, SNMP, ICMP, ADSM and telnet/SSH.

Following command configures a management interface:

management-access

The advantage of that setup is that all of your management traffic can traverse an existing VPN tunnel and the risk of sensitive information being exposed is minimized.

The drawback, you cannot reach your standby firewall should you run in active/standby mode.

Keep in mind that ssh access control has be configured for the management interface as well. Assuming you configured management-access for the inside interface you would have to issue following:

ssh inside

Management access first appeared in 6.x I believe.

0 Helpful

Go to solution
danny.garza
Level 1
Level 1
In response to laurent.geyer

‎05-09-2007 09:32 AM

that worked perfect!

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card