https://community.cisco.com/t5/network-security/pix-501telnet-access-from-wan-side/m-p/809236#M1007844 <HTML><HEAD></HEAD><BODY><P>I believe that in order for the Pix 501 to allow a telnet session to the Outside interface, that the traffic be IPSEC protected. </P><P></P><P>From the Pix 6.3 command reference guide, p404: "The telnet command lets you specify which hosts can access the PIX Firewall console with Telnet. You can enable Telnet to the PIX Firewall on all interfaces. However, the PIX Firewall enforces that all Telnet traffic to the outside interface be IPSec protected. Therefore, to enable Telnet session to the outside interface, configure IPSec on the outside interface to include IP traffic generated by the PIX Firewall and enable Telnet on the outside interface."</P><P></P><P>Since Telnet isn't secure, you might want to consider using SSH instead.</P><P></P><P>Carl</P></BODY></HTML> Mon, 09 Apr 2007 13:59:47 GMT 1cmerchant 2007-04-09T13:59:47Z https://community.cisco.com/t5/network-security/pix-501telnet-access-from-wan-side/m-p/809235#M1007841 <P>I want to access my pix firewall from internet with telnet . In front of my pix i have a modem.Modem has 192.168.2.1 and my pix wan interface has 192.168.2.2.I made port forwarding from my modem to pix for port 23 but it doesn't work.Here is my running-config. Thank for help.</P><P>Building configuration...</P><P>: Saved</P><P>:</P><P>PIX Version 6.3(5)</P><P>interface ethernet0 auto</P><P>interface ethernet1 100full</P><P>nameif ethernet0 outside security0</P><P>nameif ethernet1 inside security100</P><P>enable password xxx</P><P>passwd xxx</P><P>hostname DesatDenizli</P><P>domain-name desat.com</P><P>fixup protocol dns maximum-length 512</P><P>fixup protocol ftp 21</P><P>fixup protocol h323 h225 1720</P><P>fixup protocol h323 ras 1718-1719</P><P>fixup protocol http 80</P><P>fixup protocol rsh 514</P><P>fixup protocol rtsp 554</P><P>fixup protocol sip 5060</P><P>fixup protocol sip udp 5060</P><P>fixup protocol skinny 2000</P><P>fixup protocol smtp 25</P><P>fixup protocol sqlnet 1521</P><P>fixup protocol tftp 69</P><P>names</P><P>access-list inside_access_in permit tcp any any eq pop3 </P><P>access-list inside_access_in permit tcp any any eq smtp </P><P>access-list inside_access_in permit tcp any any eq 3389 </P><P>access-list inside_access_in permit tcp any any eq 9080 </P><P>access-list inside_access_in permit tcp any any eq https </P><P>access-list inside_access_in permit udp any any eq 110 </P><P>access-list inside_access_in permit udp any any eq 25 </P><P>access-list inside_access_in permit udp any any eq 3389 </P><P>access-list inside_access_in permit udp any any eq 9080 </P><P>access-list inside_access_in permit udp any any eq 443 </P><P>access-list inside_access_in permit ip host 192.168.1.11 any </P><P>access-list inside_access_in permit ip host 192.168.1.15 any </P><P>access-list inside_access_in permit ip host 192.168.1.17 any </P><P>access-list inside_access_in permit ip host 192.168.1.18 any </P><P>access-list inside_access_in permit ip host 192.168.1.20 any </P><P>access-list inside_access_in permit ip host 192.168.1.21 any </P><P>access-list inside_access_in permit ip host 192.168.1.22 any </P><P>access-list inside_access_in permit ip host 192.168.1.24 any </P><P>access-list inside_access_in permit ip host 192.168.1.26 any </P><P>access-list inside_access_in permit ip host 192.168.1.27 any </P><P>access-list inside_access_in permit ip host 192.168.1.29 any </P><P>pager lines 24</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>ip address outside 192.168.2.2 255.255.255.0</P><P>ip address inside 192.168.1.1 255.255.255.0</P><P>ip audit info action alarm</P><P>ip audit attack action alarm</P><P>pdm location 192.168.1.22 255.255.255.255 inside</P><P>pdm history enable</P><P>arp timeout 14400</P><P>global (outside) 10 interface</P><P>access-group inside_access_in in interface inside</P><P>route outside 0.0.0.0 0.0.0.x.x.2.1 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00</P><P>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00</P><P>timeout sip-disconnect 0:02:00 sip-invite 0:03:00</P><P>timeout uauth 0:05:00 absolute</P><P>aaa-server TACACS+ protocol tacacs+ </P><P>aaa-server TACACS+ max-failed-attempts 3 </P><P>aaa-server TACACS+ deadtime 10 </P><P>aaa-server RADIUS protocol radius </P><P>aaa-server RADIUS max-failed-attempts 3 </P><P>aaa-server RADIUS deadtime 10 </P><P>aaa-server LOCAL protocol local </P><P>http server enable</P><P>http 192.168.1.22 255.255.255.255 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server community netvizyon</P><P>no snmp-server enable traps</P><P>floodguard enable</P><P>telnet 0.0.0.0 0.0.0.0 outside</P><P>telnet 0.0.0.0 0.0.0.0 inside</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>management-access inside</P><P>console timeout 0</P><P>dhcpd address 192.168.1.10-192.168.1.100 inside</P><P>dhcpd dns 213.243.1.40 213.243.1.42</P><P>dhcpd lease 3600</P><P>dhcpd ping_timeout 750</P><P>dhcpd enable inside</P><P>terminal width 80</P><P>Cryptochecksum:xxx</P><P>: end</P><P>[OK]</P><P></P><P></P> Mon, 11 Mar 2019 09:57:41 GMT https://community.cisco.com/t5/network-security/pix-501telnet-access-from-wan-side/m-p/809235#M1007841 ufuk-guler 2019-03-11T09:57:41Z https://community.cisco.com/t5/network-security/pix-501telnet-access-from-wan-side/m-p/809236#M1007844 <HTML><HEAD></HEAD><BODY><P>I believe that in order for the Pix 501 to allow a telnet session to the Outside interface, that the traffic be IPSEC protected. </P><P></P><P>From the Pix 6.3 command reference guide, p404: "The telnet command lets you specify which hosts can access the PIX Firewall console with Telnet. You can enable Telnet to the PIX Firewall on all interfaces. However, the PIX Firewall enforces that all Telnet traffic to the outside interface be IPSec protected. Therefore, to enable Telnet session to the outside interface, configure IPSec on the outside interface to include IP traffic generated by the PIX Firewall and enable Telnet on the outside interface."</P><P></P><P>Since Telnet isn't secure, you might want to consider using SSH instead.</P><P></P><P>Carl</P></BODY></HTML> Mon, 09 Apr 2007 13:59:47 GMT https://community.cisco.com/t5/network-security/pix-501telnet-access-from-wan-side/m-p/809236#M1007844 1cmerchant 2007-04-09T13:59:47Z https://community.cisco.com/t5/network-security/pix-501telnet-access-from-wan-side/m-p/809237#M1007845 <HTML><HEAD></HEAD><BODY><P>Is not possible unless is IPSec protected. Please check the link below:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/tz.htm#wp1025921" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/tz.htm#wp1025921</A></P><P></P><P>I recommend to use ssh instead, check the link:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026535" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026535</A></P><P></P><P>Hope it helps, </P><P></P><P>Franco Zamora</P><P></P></BODY></HTML> Tue, 10 Apr 2007 03:34:50 GMT https://community.cisco.com/t5/network-security/pix-501telnet-access-from-wan-side/m-p/809237#M1007845 fzamora 2007-04-10T03:34:50Z