Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Easy VPN PIX 501 and telnet

CCO shows ---

When the Easy VPN Remote connects to a headend device, there are a minimum of five security associations (SAs), including one Internet Key Exchange (IKE) and four IPSec associations. When the Easy VPN Remote connects to the headend, it always negotiates two IPSec SAs with the IP address of the PIX outside interface to any address behind the VPN server. This may be used for management purposes to connect to the PIX outside interface from the network behind the IOS router (either via Secure Shell (SSH) or Secure HTTP for PIX Device Manager (PDM) usage or Telnet).

Pix docs for telnet say you can use the outside interface only if you have at least crypto map set up.

Do I need to do a just a "crypto map name 10 ipsec-isakmp" and then a telnet x.x.x.x outside to manage the pix?

Anyone that has done this, I would appreciate any help.


Cisco Employee

Re: Easy VPN PIX 501 and telnet

As you're aware, you cna only telnet to the PIX outside interface if you come in over a VPN tunnel. The telnet docs are probably a bit outdated and need to be revised since EzVPN has come along, since with EzVPN it pretty much does all that for you. When an EzVPN tunnel is created, two tunnels are created, one to the PIX inside subnet, and one to the PIX outside interface. Because of this second tunnel, you should then be able to telnet to the PIX outside interface from the other remote subnet. all you should need in the PIX is:

> telnet x.x.x.x outside

For security's sake, just add the network behind the other device into the telnet command, don't make it, it's just that little bit more secure.

CreatePlease to create content