×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Easy VPN PIX 501 and telnet

Unanswered Question
Jan 17th, 2003
User Badges:

CCO shows ---

When the Easy VPN Remote connects to a headend device, there are a minimum of five security associations (SAs), including one Internet Key Exchange (IKE) and four IPSec associations. When the Easy VPN Remote connects to the headend, it always negotiates two IPSec SAs with the IP address of the PIX outside interface to any address behind the VPN server. This may be used for management purposes to connect to the PIX outside interface from the network behind the IOS router (either via Secure Shell (SSH) or Secure HTTP for PIX Device Manager (PDM) usage or Telnet).


Pix docs for telnet say you can use the outside interface only if you have at least crypto map set up.


Do I need to do a just a "crypto map name 10 ipsec-isakmp" and then a telnet x.x.x.x outside to manage the pix?


Anyone that has done this, I would appreciate any help.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gfullage Fri, 01/17/2003 - 22:07
User Badges:
  • Cisco Employee,

As you're aware, you cna only telnet to the PIX outside interface if you come in over a VPN tunnel. The telnet docs are probably a bit outdated and need to be revised since EzVPN has come along, since with EzVPN it pretty much does all that for you. When an EzVPN tunnel is created, two tunnels are created, one to the PIX inside subnet, and one to the PIX outside interface. Because of this second tunnel, you should then be able to telnet to the PIX outside interface from the other remote subnet. all you should need in the PIX is:


> telnet x.x.x.x outside


For security's sake, just add the network behind the other device into the telnet command, don't make it 0.0.0.0, it's just that little bit more secure.

Actions

This Discussion