Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

two questions VPN IP & Telnet access

Hi Everyone,

My first question is what IP will clients get if they VPN to the network. The clients are running the Cisco Secure client and tunnel to a PIX 506E with the configuration listed below. Can I specify a scope or pool of IP's that the clients get when they make a VPN connection to the network?

The second issues is I am unable to get remote telnet or SSH access form the outside interface. As you will see in the config I have enabled both of those services to a specific IP. This IP is statically assigned to me by my ISP on my cable modem. I would like to be able to access the firewall from my home for administration. I would like to use SSH for the enhanced security but cannot get either option to work. Telnet times out without ever making a connection. I am using putty as an SSH client, it seems to connect but the authentication fails. I have tried using root an d admin as the user name and have tried both the telnet and enable passwords. I know the passwords are correct as I can login from the inside interface.

Here is a copy of the config file any suggestions would be apprecieated:

Building configuration...

: Saved


PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxx encrypted

passwd xxxxxxxxx encrypted

hostname fw1


fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


name Rob

name Phone_System

name ILX

access-list outside_access_in permit tcp any range 8194 8294 host

access-list outside_access_in permit tcp any range 1025 6000 host

access-list outside_access_in permit udp any range 48129 48192 host

access-list outside_access_in permit tcp host ILX eq 11112 any

access-list outside_access_in permit tcp host ILX eq 11114 any

access-list outside_access_in permit tcp host ILX eq www any

access-list outside_access_in permit udp host ILX any

access-list outside_access_in permit tcp any eq 5566 host eq 5566

access-list outside_access_in permit udp any range 5004 5005 host range 5004 5005

access-list outside_access_in permit udp any eq 5567 host eq 5567

pager lines 24

logging on

logging buffered warnings

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm location inside

pdm location inside

pdm location 66.189.xx.xx outside

pdm location Rob inside

pdm location ILX outside

pdm location 66.189.xx.xx outside

pdm history enable

arp timeout 14400

global (outside) 2 netmask

global (outside) 1 interface

nat (inside) 1 0 0

static (inside,outside) udp 4900 4900 netmask 0 0

static (inside,outside) udp 5960 5960 netmask 0 0

static (inside,outside) Rob netmask 0 0

static (inside,outside) Phone_System netmask 0 0

access-group outside_access_in in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http outside

http Phone_System inside

http inside

no snmp-server location

no snmp-server contact

snmp-server community 2d2d2d

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address netmask

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

telnet 66.189.xx.x outside (thecomplete IP is in the actual config)

telnet inside

telnet timeout 5

ssh 66.189.xx.xx outside

ssh inside

ssh timeout 5

dhcpd address inside

dhcpd dns

dhcpd lease 259200

dhcpd ping_timeout 750

dhcpd domain

dhcpd auto_config outside

dhcpd enable inside

terminal width 80


: end


Cisco Employee

Re: two questions VPN IP & Telnet access

You can define a pool using the following command:

ip local pool ippool

And then assign the pool to the client settings depending on what client software you are using. The following link has a sample configuration for this:

It is not possible to telnet to the outside interface of the pix unless you are going through IPSEC. For SSH the username by default is pix and password is the telnet password.

hope this helps,