04-02-2006 12:44 PM - edited 02-21-2020 12:49 AM
I am able to telnet in via the VPN using the inside address. The question is how to make this happen without using the VPN tunnel! Would someone please take a look at the current config and tell me what I am missing.
I need to be able to telnet in and get through to the 192.168.1.10 host with out a vpn connection. Is that possible?
Thanks,
access-list vpnacl permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit gre any any
access-list 101 permit tcp any host 66.0.0.0 eq ftp
access-list 101 permit tcp any host 66.0.0.0 eq ftp-data
access-list 101 permit tcp any host 66.0.0.0 eq www
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any host 192.168.1.10 eq telnet
pager lines 24
logging on
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside 66.0.0.0 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.1.29-192.168.1.30
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 0 access-list vpnacl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp 192.168.1.10 ftp netmask 255.255.255.2
55 0 0
static (inside,outside) tcp interface www 192.168.1.35 www netmask 255.255.255.2
55 0 0
static (inside,outside) tcp interface telnet 192.168.1.10 telnet netmask 255.255
.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 66.0.0.0. 1
04-02-2006 01:26 PM
PIX does not allow (untunneled) Telnet from the outside. There is no configuration to accomplish that.
Your best bet would be to set up and permit SSH from the outside if you really need to do this. Even with SSH, it's considered a security risk.
Most flavors of PIX IOS only support SSH v1, which has been compromised for a while now.
Tunneling is probably your best, safest way to go.
Good Luck
Scott
04-02-2006 01:43 PM
I thought so.
Thanks for the advice!
Will
04-02-2006 02:53 PM
PIX OS 7.x Supports now SSH v2.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet0900aecd80225ae1.html
Indeed telnet is not allowed on the outside interface.
The serial console lets a single user configure the PIX Firewall, but often this is not convenient for a site with more than one administrator. PIX Firewall lets you access the console via Telnet from hosts on any internal interface. With IPSec configured, you can use Telnet to remotely administer the console of a PIX Firewall from lower security interfaces.
sincerely
Patrick
04-02-2006 11:24 PM
hi patrick. i have configured a site to site vpn with pix and a router that is connected to the outside interface of the pix.in the crypto acl of the router it's a loopback interface ip add to the outside interface ip of the pix. in the pix crypto acl i have the acl with outside interface ip to the loopback ip of the router. i have configured telnet on the outside interface on the pix with the ip address of the loopback. ipsec works perfectly fine between the two. when i telnet from the routers's loopback address to the outside of pix. it shows trying and open and then completely blank. the pix is not asking for any password or anything. when i see on the pix show loacl-host. i can see the telnet entry present there also in the conn table it shows established.
is my config right ?. what could be the problem. can u pls help me out. waiting for ur reply. see ya
regards
sebastan
04-02-2006 11:54 PM
Did you enable telnet passwrd command on your pix?
04-03-2006 02:30 AM
yes i have enabled passowrd and even the enable password. on the router i can see the session maintained for the pix and on the pix i cna see the connection entry as established. i really don't understand the problem. then i configured telnet from inside interface of the pix. it worked perfectly fine without any issues. can u pls help me out. thanks waiting for ur reply.
sebastan
04-03-2006 03:36 AM
Try this command. Management inside or ouside access. Telnet x.x.x.x 255.255.255.255 outside or telnet x.x.x.0 255.255.255.0 outside. passwd cisco. Not sure if you need access-list. Probably not.
04-02-2006 11:24 PM
If you trying to ssh into your pix from outside, issuing SSH command on your Pix allowing your outside netork address. Install putty on your pc and try ssh from your outside network. If you are comming from multiple outside network address you must add those network address as well. hope this help.
04-03-2006 07:16 AM
Yo be able to access the PIX via a VPN tunnel you need to add the following command < management-access > ....
;-)
management-access
Enables access to an internal management interface on the firewall.
[no] management-access mgmt_if
show management-access
Syntax Description
mgmt_if
The name of the firewall interface to be used as the internal management interface.
Defaults
None.
Command Modes
The management-access mgmt_if command is available in configuration mode.
The show management-access is available in privileged mode.
Usage Guidelines
The management-access mgmt_if command enables you to define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The firewall interface names are defined by the nameif command and displayed in quotes, " ", in the show interface output.)
In PIX Firewall software Version 6.3, this command is supported for the following through an IPSec VPN tunnel only, and only one management interface can be defined globally:
SNMP polls to the mgmt_if
HTTPS requests to the mgmt_if
PDM access to the mgmt_if
Telnet access to the mgmt_if
SSH access to the mgmt_if
Ping to the mgmt_if
The show management-access command displays the firewall management access configuration.
Examples
The following example shows how to configure a firewall interface named "inside" as the management access interface:
pixfirewall(config)# management-access inside
pixfirewall(config)# show management-access
management-access inside
sincerely
Patrick
04-03-2006 11:43 AM
hi patrick in my above scenario.when i am having a site to site vpn from the pix outside to a router.the ipsec works fine. here i am telnetting from the router connected to the pix outside interface.here what should be the management interface. should it be management interface outside or inside. pls help. thank u waiting for ur reply.
sebastan
04-03-2006 05:41 PM
It should be any inside interface but not the outside one.
hope that helps
Patrick
04-03-2006 08:11 PM
hi patrick can u tell me . when we will use the management-access outside command. and how management-access inside will work in my case when i am using a site-site vpn and not a remote access vpn. is telnet possible with a site-site vpn terminating on the outside. thanks once again . waiting for ur reply,see ya
sebastan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: