Re: PIX Telnet problem

wdelaney1 · ‎04-02-2006

I am able to telnet in via the VPN using the inside address. The question is how to make this happen without using the VPN tunnel! Would someone please take a look at the current config and tell me what I am missing.

I need to be able to telnet in and get through to the 192.168.1.10 host with out a vpn connection. Is that possible?

Thanks,

access-list vpnacl permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 permit gre any any

access-list 101 permit tcp any host 66.0.0.0 eq ftp

access-list 101 permit tcp any host 66.0.0.0 eq ftp-data

access-list 101 permit tcp any host 66.0.0.0 eq www

access-list 101 permit icmp any any echo-reply

access-list 101 permit tcp any host 192.168.1.10 eq telnet

pager lines 24

logging on

logging buffered informational

mtu outside 1500

mtu inside 1500

ip address outside 66.0.0.0 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 192.168.1.29-192.168.1.30

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 1 192.168.1.0 255.255.255.0 0 0

nat (inside) 0 access-list vpnacl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface ftp 192.168.1.10 ftp netmask 255.255.255.2

55 0 0

static (inside,outside) tcp interface www 192.168.1.35 www netmask 255.255.255.2

55 0 0

static (inside,outside) tcp interface telnet 192.168.1.10 telnet netmask 255.255

.255.255 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 66.0.0.0. 1

scottmac · ‎04-02-2006

PIX does not allow (untunneled) Telnet from the outside. There is no configuration to accomplish that.

Your best bet would be to set up and permit SSH from the outside if you really need to do this. Even with SSH, it's considered a security risk.

Most flavors of PIX IOS only support SSH v1, which has been compromised for a while now.

Tunneling is probably your best, safest way to go.

Good Luck

Scott

wdelaney1 · ‎04-02-2006

I thought so.

Thanks for the advice!

Will

Patrick Iseli · ‎04-02-2006

PIX OS 7.x Supports now SSH v2.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet0900aecd80225ae1.html

Indeed telnet is not allowed on the outside interface.

The serial console lets a single user configure the PIX Firewall, but often this is not convenient for a site with more than one administrator. PIX Firewall lets you access the console via Telnet from hosts on any internal interface. With IPSec configured, you can use Telnet to remotely administer the console of a PIX Firewall from lower security interfaces.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172797.html#wp1022109

sincerely

Patrick

sebastan_bach · ‎04-02-2006

hi patrick. i have configured a site to site vpn with pix and a router that is connected to the outside interface of the pix.in the crypto acl of the router it's a loopback interface ip add to the outside interface ip of the pix. in the pix crypto acl i have the acl with outside interface ip to the loopback ip of the router. i have configured telnet on the outside interface on the pix with the ip address of the loopback. ipsec works perfectly fine between the two. when i telnet from the routers's loopback address to the outside of pix. it shows trying and open and then completely blank. the pix is not asking for any password or anything. when i see on the pix show loacl-host. i can see the telnet entry present there also in the conn table it shows established.

is my config right ?. what could be the problem. can u pls help me out. waiting for ur reply. see ya

regards

sebastan

Eric Boadu · ‎04-02-2006

Did you enable telnet passwrd command on your pix?

sebastan_bach · ‎04-03-2006

yes i have enabled passowrd and even the enable password. on the router i can see the session maintained for the pix and on the pix i cna see the connection entry as established. i really don't understand the problem. then i configured telnet from inside interface of the pix. it worked perfectly fine without any issues. can u pls help me out. thanks waiting for ur reply.

sebastan

Eric Boadu · ‎04-03-2006

Try this command. Management inside or ouside access. Telnet x.x.x.x 255.255.255.255 outside or telnet x.x.x.0 255.255.255.0 outside. passwd cisco. Not sure if you need access-list. Probably not.

Eric Boadu · ‎04-02-2006

If you trying to ssh into your pix from outside, issuing SSH command on your Pix allowing your outside netork address. Install putty on your pc and try ssh from your outside network. If you are comming from multiple outside network address you must add those network address as well. hope this help.

Patrick Iseli · ‎04-03-2006

Yo be able to access the PIX via a VPN tunnel you need to add the following command < management-access > ....

;-)

See: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ab.html#wp1137951

management-access

Enables access to an internal management interface on the firewall.

[no] management-access mgmt_if

show management-access

Syntax Description

mgmt_if

The name of the firewall interface to be used as the internal management interface.

Defaults

None.

Command Modes

The management-access mgmt_if command is available in configuration mode.

The show management-access is available in privileged mode.

Usage Guidelines

The management-access mgmt_if command enables you to define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The firewall interface names are defined by the nameif command and displayed in quotes, " ", in the show interface output.)

In PIX Firewall software Version 6.3, this command is supported for the following through an IPSec VPN tunnel only, and only one management interface can be defined globally:

•SNMP polls to the mgmt_if

•HTTPS requests to the mgmt_if

•PDM access to the mgmt_if

•Telnet access to the mgmt_if

•SSH access to the mgmt_if

•Ping to the mgmt_if

The show management-access command displays the firewall management access configuration.

Examples

The following example shows how to configure a firewall interface named "inside" as the management access interface:

pixfirewall(config)# management-access inside

pixfirewall(config)# show management-access

management-access inside

sincerely

Patrick

sebastan_bach · ‎04-03-2006

hi patrick in my above scenario.when i am having a site to site vpn from the pix outside to a router.the ipsec works fine. here i am telnetting from the router connected to the pix outside interface.here what should be the management interface. should it be management interface outside or inside. pls help. thank u waiting for ur reply.

sebastan

Patrick Iseli · ‎04-03-2006

It should be any inside interface but not the outside one.

hope that helps

Patrick

sebastan_bach · ‎04-03-2006

hi patrick can u tell me . when we will use the management-access outside command. and how management-access inside will work in my case when i am using a site-site vpn and not a remote access vpn. is telnet possible with a site-site vpn terminating on the outside. thanks once again . waiting for ur reply,see ya

sebastan