Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Trying to enable TELNET traffic thru VPN router and PIX?

Hi,

I had just setup a peer-to-peer VPN with our vendor. What I'm trying to accomplish is for them to establish a telnet session from their end to our internal host system. We do establish the vpn tunnel, but telnet to our internal system is refused.

On my VPN router, I am only using one ethernet interface configured into 2 sub-interfaces, this is plugged into a catalyst switch. The outside interface of our Internal PIX firewall is also plugged into the same switch as the VPN router. Our internal host system resides on the inside interface of the PIX firewall. (My VPN router is also behind an external firewall, but this is irrelevant since tunnel has already been established).

Imitation IPs used:

Vendor is trying to telnet from their source 200.2.2.2 to destination 200.0.0.55

On my vpn router NAT'd 200.0.0.55 to 10.0.0.55(outside interface range on Internal PIX)

Within PIX firewall NAt'd 10.0.0.55 to internal host IP 10.10.10.10

Here is my sample configuration:

*************

1711 Router

*************

interface FastEthernet0

no ip address

speed 100

full-duplex

!

interface FastEthernet0.1

encapsulation dot1Q 2

ip address 200.0.0.1 255.255.255.0

ip access-group outside in

ip nat outside

!

interface FastEthernet0.2

encapsulation dot1Q 1 native

ip address 10.0.0.1 255.255.255.0

ip access-group inside in

ip nat inside

ip nat inside source static 10.0.0.55 200.0.0.55

ip access-list extended inside

permit ip any any

ip access-list extended outside

permit ip any any

**********END***************************

I receive hits on the routers ACLs

*************

PIX Firewall

*************

access-list acl_outside permit tcp host 200.2.2.2 gt 1023 host 10.0.0.55 eq telnet

static (inside,outside) 10.0.0.55 10.10.10.10 netmask 255.255.255.255 0 0

route outside 200.2.2.2 255.255.255.255 10.0.0.1

**********END***************************

I do not receive any hits on the PIX acl.

The Catalyst switch has a default vlan of 1 for all ports. I created a 2 to accomodate the VPN router vlan tags, then on the port where the VPN router is plugged into, I entered 'switchport mode trunk'. Not sure if this will work or not.

I also added a host route on our internal host system to vendor's source IP 200.2.2.2

Any help would very much be appreciated!

Thank you,

Lee

2 REPLIES
Gold

Re: Trying to enable TELNET traffic thru VPN router and PIX?

you mentioned "I receive hits on the routers ACLs" and "I do not receive any hits on the PIX acl". the issue maybe related to the pix inbound acl source ip. the current acl has 200.2.2.2 as a source ip, and it seems to be a public ip. most of the time the traffic will be traversed with the private/original ip for vpn.

to verify, configure capture command on the pix:

access-list telnet permit tcp any any eq 23

capture telnet access-list telnet interface outside

"show capture telnet" to view the output.

Community Member

Re: Trying to enable TELNET traffic thru VPN router and PIX?

I probably shouldn't of used a public IP as my example, i wasn't thinking. Their actually using a private IP range(src. and dest.), but thank you very much for your input, I will use this as part of my troubleshooting.

Thanks,

Lee

304
Views
0
Helpful
2
Replies
CreatePlease to create content