cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
325
Views
0
Helpful
9
Replies

Can´t manage the pix from the my site to remote side

Hello,

what or better how should I set up a pix 501 to manage the remote pix over telnet or pdm ?

can someone give me an advice or a sample config `

What I found in the web did not help me out.

Regards

Kai

1 Accepted Solution

Accepted Solutions

pix outside interface doesn't support telnet at all. the option is to configure ssh.

e.g.

hostname yourcompanypix

domain-name yourcompany.com.au

ca generate rsa key 1024

ca save all

ssh outside

in order to establish a ssh session to the pix outside interface, a ssh client is required such as putty.

putty is a freeware and it can be downloaded from:

http://www.putty.nl/download.html

View solution in original post

9 Replies 9

jackko
Level 7
Level 7

without ipsec vpn between the two sites, telnet is not feasible. pix only accepts ssh to the outside interface.

e.g.

hostname pix

domain-name yourcompany.com

ca generate rsa key 1024

ca save all

ssh outside

to access the pix via pdm,

e.g.

http server enable

http outside

then you access the pix via pdm by url https:// with blank username and enable password.

providing there is an ipsec vpn between the two sites, you can telnet to the remote pix inside interface.

e.g.

management-access inside

telnet

inside

Here is my config, maybe this could be helpful:

PIX Version 6.3(4)

access-list 130 permit ip 192.168.45.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list 100 permit ip 192.168.45.0 255.255.255.0 192.168.0.0 255.255.0.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 80.80.80.10 255.255.255.248

ip address inside 192.168.45.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.8.224 255.255.255.224 inside

pdm logging warnings 500

pdm history enable

arp timeout 14400

global (outside) 1 80.80.80.11

route outside 0.0.0.0 0.0.0.0 80.80.80.9 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.8.224 255.255.255.224 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set set-3des esp-3des esp-md5-hmac

crypto map mytrans 30 ipsec-isakmp

crypto map mytrans 30 match address 130

crypto map mytrans 30 set peer 123.123.123.123

crypto map mytrans 30 set transform-set set-3des

crypto map mytrans interface outside

isakmp enable outside

isakmp key ******** address 123.123.123.123 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 3600

telnet 192.168.8.224 255.255.255.224 inside

telnet timeout 5

ssh timeout 5

management-access outside

console timeout 0

terminal width 80

regards

Kai

just wondering if you may advise how would you prefer to manage the pix at the remote site.

No, no,

I ´ve entered other IP adresses to post the config in here and I forgot to enter the ip addresses for the inside.

It´s only the thing to manage this pix from the lan 192.168.8.0 over an IPSEC tunnel

net a <--> pix a <--> www/vpn <--> pix b <--> net b

e.g. host from net a to access pix b over ipsec, on pix b:

telnet inside

management-access inside

OK then this works.

but is this also possible from outside e.g. via telnet to the external ip address of the remote pix ?

like telnet net a net a mask outside

management-access outside

pix outside interface doesn't support telnet at all. the option is to configure ssh.

e.g.

hostname yourcompanypix

domain-name yourcompany.com.au

ca generate rsa key 1024

ca save all

ssh outside

in order to establish a ssh session to the pix outside interface, a ssh client is required such as putty.

putty is a freeware and it can be downloaded from:

http://www.putty.nl/download.html

I will try it with ssh.

something for me is strange. I can imagine that the pix does not support telnet over the outside interface.

but I got 3 pix to which i´m able to connect over the outside address with telnet not via ssh.

could this be possible e.g. with an old IOS release ?

Ok then,

it runs from internal site over telnet and over external with ssh.

Thanks for your help !

Kai

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: