Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Error when telnet/PDM from VPN tunnel to inside management IP

Hi,

Hoping someone has the answer to this...

When I connect from the Internet to the PIX using an IPSec tunnel, I can access all internal hosts and services. However, I am unable to manage the PIX.

If I telnet, I get this error:

telnet 192.168.1.1

Connecting To 192.168.1.1...Could not open connection to the host, on port 23.

No connection could be made because the target machine actively refused it.

The PIX is running 6.3(1) and has the "management-access inside" command.

Thanks

8 REPLIES
Gold

Re: Error when telnet/PDM from VPN tunnel to inside management I

Hello Pierre,

Please read the following document on Telnet access via IPSec for PIX v6.3 - Hope this helps - Jay.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ae.html#1025921

New Member

Re: Error when telnet/PDM from VPN tunnel to inside management I

Thanks Jay,

I am familiar with the command reference but I am not understanding what exactly I need to do to enable this. I added the IP pool subnet that is assigned to VPN clients but it still does not work. I also tried telnet with the outside IP address of the pix and it does not work either.

What am I missing?

Pierre

Silver

Re: Error when telnet/PDM from VPN tunnel to inside management I

Can you post your telnet lines from your pix config?

New Member

Re: Error when telnet/PDM from VPN tunnel to inside management I

As of right now, the running configuration is as follows... I included the relevant VPN commands as well.

access-list acl_crypto permit ip any 10.1.1.0 255.255.255.224

access-list acl_split_tunnel permit ip 192.168.1.0 255.255.255.0 any

access-list acl_no_nat permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.

224

ip local pool vpnpool 10.1.1.1-10.1.1.10

nat (inside) 0 access-list acl_no_nat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address acl_crypto

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup xxxxxxxxx address-pool vpnpool

vpngroup xxxxxxxxx dns-server 192.168.1.41

vpngroup xxxxxxxxx default-domain xxxxxxxxxxxxxx.com

vpngroup xxxxxxxxx split-tunnel acl_split_tunnel

vpngroup xxxxxxxxx split-dns xxxxxxxxxxxxxx.com

vpngroup xxxxxxxxx idle-time 1800

vpngroup xxxxxxxxx password ********

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

management-access inside

Thanks!

Silver

Re: Error when telnet/PDM from VPN tunnel to inside management I

You might need to add a telnet line for the netblock you are connecting from :

If you are connecting from 1.2.3.4/24, via the outside interface:

telnet 1.2.3.0 255.255.255.0 outside

New Member

Re: Error when telnet/PDM from VPN tunnel to inside management I

Well, I never know where I will be connecting from because it is usually on dial-up. However, I do know that it's through VPN (10.1.1.0/27). And I did add "telnet 10.1.1.0 255.255.255.224 outside" but that did not help.

Maybe I should open a TAC case?

Cisco Employee

Re: Error when telnet/PDM from VPN tunnel to inside management I

To the PIX the telnet connection looks like it comes from the IP pool on the inside interface, so you have to add the command:

> telnet 10.1.1.0 255.255.255.224 inside

> management-access inside

for this to work. I just tried it on my lab PIX and it works fine.

New Member

Re: Error when telnet/PDM from VPN tunnel to inside management I

Just did that and it worked. Thanks a lot!

142
Views
0
Helpful
8
Replies