05-03-2005 09:10 AM - edited 02-21-2020 12:07 AM
hi..
first i would like thanks Cisco to give me this great Opportunity to ask the professional..
my problem is that i cant telnet or run the PDM from outside the network, although through an IPSEC tunnel as Cisco Advise.. !! I can telnet and run the PDM from the host i assigned inside the network .
so, i need your help now ..
Thanks
05-03-2005 09:23 AM
Hello,
Try configuring this command:
management-access mgmt_if
for example:
management-access inside
this allows pdm and telnet access to the pix's inside interface while connecting over an ipsec vpn tunnel
Reference:
Please let us know if that helped
Mustafa
05-03-2005 12:30 PM
hi...
i did configure it..
management-access outside .. but it sounds useless in my case.. i dont think that i forget a command in the configuration.. am really confused about it
05-03-2005 12:54 PM
Sir,
Assuming your IKE and IPSEC SA's are up and operational: Tell me your IPSEC endpoint setup i.e router to router, pix to pix, vpn client to router, vpn client to pix.
It seems to me that your crypto acls are incorrect. I had this same problem and it was the crypto acls (reverse if running easy vpn server)
Define your ipsec endpoints for me and post your crypto acls. Also, let me know your public and private addresses on your pix and public addresses on the perimeter router(substitute with fake addresses so you don't divulge actual routable addresses)
-Chris
05-03-2005 10:38 PM
hi sir,
the IPSEC Tunnel is between vpnclient and the PIX am trying to telnet to its outside interface.. here ill paste the configuration i did to achieve that.. but it didnt work..
access-list nonat permit ip 172.16.0.0 255.255.0.0 172.16.180.0 255.255.255.0
access-list Managment_interested_traffic permit ip A.B.C.D 255.255.255.240 any
access-list Managment_interested_traffic permit ip 172.16.8.0 255.255.255.0 any
nat (inside) 0 access-list nonat
ip address outside A.B.C.D+1 255.255.255.240
ip address inside 172.16.8.2 255.255.255.0
ip local pool managment_pool 172.16.180.1 mask 255.255.255.255
pdm location 172.16.180.0 255.255.255.0 outside
http server enable
http 172.16.180.1 255.255.255.255 outside
sysopt connection permit-ipsec
crypto ipsec transform-set Managment_set esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set Managment_set
crypto map dyn-map 10 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Managment address-pool managment_pool
vpngroup Managment dns-server *.*.*.*
vpngroup Managment default-domain ********.**
vpngroup Managment split-tunnel Managment_interested_traffic
vpngroup Managment idle-time 1800
vpngroup Managment password ********
telnet 172.16.180.1 255.255.255.255 outside
management-access outside
the IPSEC Tunnel is up.. ! and i can ping the interfaces.. ! did i miss something.. ?!
thnx
05-03-2005 11:39 PM
Hi,
To telnet to the outside intf of your pix from a outside source IP address you'll need SSH access enabled, to do this:
1. Generate RSA keys first:
> in config mode: ca generate rsa key
2. Save the generated keys with:
> ca save all
You can check your new keys by issuing:
> sho ca mypubkey rsa
Now, configure SSH access on the pix by issuing:
> ssh
* that "public_source_ip" is the ip from were you are connecting from with SSH.
You can download a free SSH client, I use Putty - which can be obtained freely just type putty.exe on google.com
Now for you other question on running PDM via the IPSec tunnel, read the following URL:
I hope this helps and please rate post if does help you.
Jay.
05-04-2005 01:20 PM
Sir,
As I originally thought, it is indeed your crytpo/nonat acl's. I configured an easyvpn from a vpn client to a pix in my lab. I could initiate a vpn tunnel from the vpn client to the pix and telnet to the outside interface. Your crypto/nonat acl has to state the outside address (host A.B.C.D) to your pool that get's pushed down between IKE Ph1 and Ph2 (config mode). You incorrectly listed the outside pix address in your crypto/nonat acl as a network address (A.B.C.D 255.255.255.240) instead of a host address). Your nonat acl has to reflect the methodology I listed above. Attached is my exact pix configuration:
Also, you DO NOT need to configure ssh, I did not use any additional software such as putty to establish the telnet connection. Let me know how you make out.
05-05-2005 09:10 AM
Use ssh from outside the pix
ssh should be enabled by default
ssh ip_address [netmask] [interface_name]
ssh 171.68.225.212 255.255.255.255 outside
default pix usename is pix and password is cisco
good luck
-Aman
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide