How can I telnet to PIX inside interface from the VPN (I.E. from 10.128.128.0 telnet 172.16.3.252).

I have tried using telnet command:

"telnet 10.128.128.0 255.255.224.0 inside" but still no working.

Can you help me?

Dante

Follow: I've included the confs:

CONF MAIN PIX

PIX Version 6.0(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ1 security10

nameif ethernet3 intf3 security15

nameif ethernet4 intf4 security20

nameif ethernet5 intf5 security25

enable password *********** encrypted

passwd ********** encrypted

hostname MAIN

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 101 permit ip 10.128.128.0 255.255.224.0 172.16.3.0 255.255.255.0

access-list 102 permit ip 10.128.128.0 255.255.224.0 192.168.3.0 255.255.255.0

access-list 103 permit ip 10.128.128.0 255.255.224.0 10.250.1.0 255.255.255.0

access-list 103 permit ip 10.128.128.0 255.255.224.0 10.249.0.0 255.255.240.0

access-list 104 permit ip 10.128.128.0 255.255.224.0 10.250.11.0 255.255.255.0

access-list 105 permit ip 10.128.128.0 255.255.224.0 10.250.95.0 255.255.255.0

pager lines 24

logging on

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

mtu outside 1500

mtu inside 1500

mtu DMZ1 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 200.219.100.2 255.255.255.0

ip address inside 10.128.159.253 255.255.224.0

ip address DMZ1 10.255.255.254 255.255.224.0

ip address intf3 10.250.11.254 255.255.255.0

ip address intf4 127.0.0.1 255.255.255.255

ip address intf5 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address DMZ1 0.0.0.0

failover ip address intf3 0.0.0.0

failover ip address intf4 0.0.0.0

failover ip address intf5 0.0.0.0

pdm history enable

arp timeout 14400

global (outside) 1 200.219.100.100-200.219.100.199

global (outside) 1 200.219.100.200

global (DMZ1) 1 10.255.224.10-10.255.224.70

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ1) 1 0.0.0.0 0.0.0.0 0 0

alias (inside) 200.219.100.26 10.255.224.3 255.255.255.255

alias (inside) 200.219.100.30 10.128.128.30 255.255.255.255

alias (inside) 200.219.100.31 10.255.224.9 255.255.255.255

alias (inside) 200.219.100.54 10.255.224.4 255.255.255.255

static (inside,outside) 200.219.100.26 10.128.128.26 netmask 255.255.255.255 0 0

static (inside,outside) 200.219.100.30 10.128.128.30 netmask 255.255.255.255 0 0

static (inside,outside) 200.219.100.31 10.128.128.32 netmask 255.255.255.255 0 0

static (inside,outside) 200.219.100.54 10.128.128.54 netmask 255.255.255.255 0 0

conduit permit icmp any any

conduit permit tcp host 200.219.100.30 eq www any

conduit permit tcp host 200.219.100.30 eq domain any

conduit permit udp host 200.219.100.30 eq domain any

conduit permit tcp host 200.219.100.31 eq www any

conduit permit tcp host 200.219.100.31 eq domain any

conduit permit udp host 200.219.100.31 eq domain any

conduit permit tcp host 200.219.100.26 eq 161 any

conduit permit tcp host 200.219.100.26 eq 162 any

conduit permit udp host 200.219.100.26 eq snmp any

conduit permit udp host 200.219.100.26 eq snmptrap any

conduit permit tcp host 200.219.100.54 eq domain any

conduit permit udp host 200.219.100.54 eq domain any

conduit permit tcp host 200.219.100.54 eq 22 any

route outside 0.0.0.0 0.0.0.0 200.219.100.1 1

route outside 10.0.64.0 255.255.224.0 10.128.159.252 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

snmp-server host inside 10.128.128.21

snmp-server location mainsite

snmp-server contact support@mainsite

snmp-server community pixpix

snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

no sysopt route dnat

crypto ipsec transform-set strong esp-des esp-sha-hmac

crypto map cmap 1 ipsec-isakmp

crypto map cmap 1 match address 101

crypto map cmap 1 set peer 200.200.100.2

crypto map cmap 1 set transform-set strong

crypto map cmap 2 ipsec-isakmp

crypto map cmap 2 match address 102

crypto map cmap 2 set peer 200.200.111.2

crypto map cmap 2 set transform-set strong

crypto map cmap 3 ipsec-isakmp

crypto map cmap 3 match address 103

crypto map cmap 3 set peer 200.200.222.2

crypto map cmap 3 set transform-set strong

crypto map cmap 4 ipsec-isakmp

crypto map cmap 4 match address 104

crypto map cmap 4 set peer 200.202.202.2

crypto map cmap 4 set transform-set strong

crypto map cmap 5 ipsec-isakmp

crypto map cmap 5 match address 105

crypto map cmap 5 set peer 205.205.205.2

crypto map cmap 5 set transform-set strong

crypto map cmap interface outside

isakmp enable outside

isakmp key ******** address 200.200.100.2 netmask 255.255.255.255

isakmp key ******** address 200.219.100.4 netmask 255.255.255.255

isakmp key ******** address 200.200.111.2 netmask 255.255.255.255

isakmp key ******** address 200.200.222.2 netmask 255.255.255.255

isakmp key ******** address 200.202.202.2 netmask 255.255.255.255

isakmp key ******** address 205.205.205.2 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 3600

telnet 10.128.128.0 255.255.224.0 inside

telnet 10.128.128.0 255.255.224.0 DMZ1

telnet timeout 5

ssh timeout 5

CONF of office1 PIX:

PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ************** encrypted

passwd *********** encrypted

hostname office1

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 101 permit ip 172.16.0.0 255.255.0.0 192.168.3.0 255.255.255.0

access-list 102 permit ip 172.16.0.0 255.255.0.0 10.128.128.0 255.255.224.0

pager lines 24

logging on

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 200.200.100.2 255.255.255.240

ip address inside 172.16.3.252 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 200.200.100.3-200.200.100.10

global (outside) 1 200.200.100.11

nat (inside) 1 172.16.0.0 255.255.0.0 0 0

static (inside,outside) 200.200.100.12 172.16.3.25 netmask 255.255.255.255 0 0

conduit permit gre any any

conduit permit icmp any any

conduit permit udp host 211.211.211.251 eq domain any

conduit permit tcp host 211.211.211.251 eq domain any

conduit permit tcp host 211.211.211.251 eq smtp any

conduit permit udp host 211.211.211.251 eq 25 any

conduit permit tcp host 200.200.100.12 eq domain any

conduit permit udp host 200.200.100.12 eq domain any

conduit permit tcp host 200.200.100.12 eq smtp any

conduit permit udp host 200.219.100.26 eq snmp any

conduit permit udp host 200.219.100.26 eq snmptrap any

route outside 0.0.0.0 0.0.0.0 200.200.100.1 1

route inside 172.16.15.0 255.255.255.0 172.16.3.254 1

route inside 172.17.0.0 255.255.0.0 172.16.3.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

snmp-server host outside 200.219.100.26

snmp-server location "Office1"

snmp-server contact support@office1

snmp-server community pixpix

snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

no sysopt route dnat

crypto ipsec transform-set strong esp-des esp-sha-hmac

crypto map cmap 10 ipsec-isakmp

crypto map cmap 10 match address 101

crypto map cmap 10 set peer 200.200.111.2

crypto map cmap 10 set transform-set strong

crypto map cmap 20 ipsec-isakmp

crypto map cmap 20 match address 102

crypto map cmap 20 set peer 200.219.100.2

crypto map cmap interface outside

isakmp enable outside

isakmp key ******** address 200.200.111.2 netmask 255.255.255.255

isakmp key ******** address 200.219.100.2 netmask 255.255.255.255

isakmp key ******** address 200.200.100.2 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 3600

telnet 172.16.3.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80