05-09-2007 04:40 AM - edited 03-11-2019 03:11 AM
how can i manage a remote firewall configured with a site-site vpn? Site A and site B have a site vpn. I am site A and would like to telnet into site B to change some ACL's but can not get into it.
Solved! Go to Solution.
05-09-2007 09:04 AM
First of all I recommend that you do not use telnet to manage your firewall. SSH is significantly more secure and just as easy to use.
That said, there are two ways to accomplish what you want. One is to manage the firewall via the outside interface of firewall B.
Assuming that you have your authentication already setup this would be as simple as applying following configuration to firewall B.
ssh
If you have multiple possible source IPs or networks, you can expand the access with multiple such statements.
The second option would be for you to configure what Cisco refers to as management-access.
The management-access command allows you to configure one of your inside interfaces to receive management traffic. This traffic includes, SNMP, ICMP, ADSM and telnet/SSH.
Following command configures a management interface:
management-access
The advantage of that setup is that all of your management traffic can traverse an existing VPN tunnel and the risk of sensitive information being exposed is minimized.
The drawback, you cannot reach your standby firewall should you run in active/standby mode.
Keep in mind that ssh access control has be configured for the management interface as well. Assuming you configured management-access for the inside interface you would have to issue following:
ssh
Management access first appeared in 6.x I believe.
05-09-2007 09:04 AM
First of all I recommend that you do not use telnet to manage your firewall. SSH is significantly more secure and just as easy to use.
That said, there are two ways to accomplish what you want. One is to manage the firewall via the outside interface of firewall B.
Assuming that you have your authentication already setup this would be as simple as applying following configuration to firewall B.
ssh
If you have multiple possible source IPs or networks, you can expand the access with multiple such statements.
The second option would be for you to configure what Cisco refers to as management-access.
The management-access command allows you to configure one of your inside interfaces to receive management traffic. This traffic includes, SNMP, ICMP, ADSM and telnet/SSH.
Following command configures a management interface:
management-access
The advantage of that setup is that all of your management traffic can traverse an existing VPN tunnel and the risk of sensitive information being exposed is minimized.
The drawback, you cannot reach your standby firewall should you run in active/standby mode.
Keep in mind that ssh access control has be configured for the management interface as well. Assuming you configured management-access for the inside interface you would have to issue following:
ssh
Management access first appeared in 6.x I believe.
05-09-2007 09:32 AM
that worked perfect!
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide