Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX Telnet problem

Unanswered Question
Apr 2nd, 2006
User Badges:

I am able to telnet in via the VPN using the inside address. The question is how to make this happen without using the VPN tunnel! Would someone please take a look at the current config and tell me what I am missing.

I need to be able to telnet in and get through to the host with out a vpn connection. Is that possible?


access-list vpnacl permit ip

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 permit gre any any

access-list 101 permit tcp any host eq ftp

access-list 101 permit tcp any host eq ftp-data

access-list 101 permit tcp any host eq www

access-list 101 permit icmp any any echo-reply

access-list 101 permit tcp any host eq telnet

pager lines 24

logging on

logging buffered informational

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 1 0 0

nat (inside) 0 access-list vpnacl

nat (inside) 1 0 0

static (inside,outside) tcp interface ftp ftp netmask

55 0 0

static (inside,outside) tcp interface www www netmask

55 0 0

static (inside,outside) tcp interface telnet telnet netmask 255.255

.255.255 0 0

access-group 101 in interface outside

route outside 1

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
scottmac Sun, 04/02/2006 - 13:26
User Badges:
  • Green, 3000 points or more

PIX does not allow (untunneled) Telnet from the outside. There is no configuration to accomplish that.

Your best bet would be to set up and permit SSH from the outside if you really need to do this. Even with SSH, it's considered a security risk.

Most flavors of PIX IOS only support SSH v1, which has been compromised for a while now.

Tunneling is probably your best, safest way to go.

Good Luck


Patrick Iseli Sun, 04/02/2006 - 14:53
User Badges:
  • Gold, 750 points or more

PIX OS 7.x Supports now SSH v2.


Indeed telnet is not allowed on the outside interface.

The serial console lets a single user configure the PIX Firewall, but often this is not convenient for a site with more than one administrator. PIX Firewall lets you access the console via Telnet from hosts on any internal interface. With IPSec configured, you can use Telnet to remotely administer the console of a PIX Firewall from lower security interfaces.




sebastan_bach Sun, 04/02/2006 - 23:24
User Badges:

hi patrick. i have configured a site to site vpn with pix and a router that is connected to the outside interface of the pix.in the crypto acl of the router it's a loopback interface ip add to the outside interface ip of the pix. in the pix crypto acl i have the acl with outside interface ip to the loopback ip of the router. i have configured telnet on the outside interface on the pix with the ip address of the loopback. ipsec works perfectly fine between the two. when i telnet from the routers's loopback address to the outside of pix. it shows trying and open and then completely blank. the pix is not asking for any password or anything. when i see on the pix show loacl-host. i can see the telnet entry present there also in the conn table it shows established.

is my config right ?. what could be the problem. can u pls help me out. waiting for ur reply. see ya



Eric Boadu Sun, 04/02/2006 - 23:54
User Badges:

Did you enable telnet passwrd command on your pix?

sebastan_bach Mon, 04/03/2006 - 02:30
User Badges:

yes i have enabled passowrd and even the enable password. on the router i can see the session maintained for the pix and on the pix i cna see the connection entry as established. i really don't understand the problem. then i configured telnet from inside interface of the pix. it worked perfectly fine without any issues. can u pls help me out. thanks waiting for ur reply.


Eric Boadu Mon, 04/03/2006 - 03:36
User Badges:

Try this command. Management inside or ouside access. Telnet x.x.x.x outside or telnet x.x.x.0 outside. passwd cisco. Not sure if you need access-list. Probably not.

Eric Boadu Sun, 04/02/2006 - 23:24
User Badges:

If you trying to ssh into your pix from outside, issuing SSH command on your Pix allowing your outside netork address. Install putty on your pc and try ssh from your outside network. If you are comming from multiple outside network address you must add those network address as well. hope this help.

Patrick Iseli Mon, 04/03/2006 - 07:16
User Badges:
  • Gold, 750 points or more

Yo be able to access the PIX via a VPN tunnel you need to add the following command < management-access > ....


See: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ab.html#wp1137951


Enables access to an internal management interface on the firewall.

[no] management-access mgmt_if

show management-access

Syntax Description


The name of the firewall interface to be used as the internal management interface.



Command Modes

The management-access mgmt_if command is available in configuration mode.

The show management-access is available in privileged mode.

Usage Guidelines

The management-access mgmt_if command enables you to define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The firewall interface names are defined by the nameif command and displayed in quotes, " ", in the show interface output.)

In PIX Firewall software Version 6.3, this command is supported for the following through an IPSec VPN tunnel only, and only one management interface can be defined globally:

•SNMP polls to the mgmt_if

•HTTPS requests to the mgmt_if

•PDM access to the mgmt_if

•Telnet access to the mgmt_if

•SSH access to the mgmt_if

•Ping to the mgmt_if

The show management-access command displays the firewall management access configuration.


The following example shows how to configure a firewall interface named "inside" as the management access interface:

pixfirewall(config)# management-access inside

pixfirewall(config)# show management-access

management-access inside



sebastan_bach Mon, 04/03/2006 - 11:43
User Badges:

hi patrick in my above scenario.when i am having a site to site vpn from the pix outside to a router.the ipsec works fine. here i am telnetting from the router connected to the pix outside interface.here what should be the management interface. should it be management interface outside or inside. pls help. thank u waiting for ur reply.


Patrick Iseli Mon, 04/03/2006 - 17:41
User Badges:
  • Gold, 750 points or more

It should be any inside interface but not the outside one.

hope that helps


sebastan_bach Mon, 04/03/2006 - 20:11
User Badges:

hi patrick can u tell me . when we will use the management-access outside command. and how management-access inside will work in my case when i am using a site-site vpn and not a remote access vpn. is telnet possible with a site-site vpn terminating on the outside. thanks once again . waiting for ur reply,see ya



This Discussion