cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1287
Views
4
Helpful
7
Replies

telnet to PIX outside interface

haithamsaif
Level 1
Level 1

hi..

first i would like thanks Cisco to give me this great Opportunity to ask the professional..

my problem is that i cant telnet or run the PDM from outside the network, although through an IPSEC tunnel as Cisco Advise.. !! I can telnet and run the PDM from the host i assigned inside the network .

so, i need your help now ..

Thanks

7 Replies 7

mhussein
Level 4
Level 4

Hello,

Try configuring this command:

management-access mgmt_if

for example:

management-access inside

this allows pdm and telnet access to the pix's inside interface while connecting over an ipsec vpn tunnel

Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ab.html#wp1137951

Please let us know if that helped

Mustafa

hi...

i did configure it..

management-access outside .. but it sounds useless in my case.. i dont think that i forget a command in the configuration.. am really confused about it

Ngcuser123
Level 1
Level 1

Sir,

Assuming your IKE and IPSEC SA's are up and operational: Tell me your IPSEC endpoint setup i.e router to router, pix to pix, vpn client to router, vpn client to pix.

It seems to me that your crypto acls are incorrect. I had this same problem and it was the crypto acls (reverse if running easy vpn server)

Define your ipsec endpoints for me and post your crypto acls. Also, let me know your public and private addresses on your pix and public addresses on the perimeter router(substitute with fake addresses so you don't divulge actual routable addresses)

-Chris

hi sir,

the IPSEC Tunnel is between vpnclient and the PIX am trying to telnet to its outside interface.. here ill paste the configuration i did to achieve that.. but it didnt work..

access-list nonat permit ip 172.16.0.0 255.255.0.0 172.16.180.0 255.255.255.0

access-list Managment_interested_traffic permit ip A.B.C.D 255.255.255.240 any

access-list Managment_interested_traffic permit ip 172.16.8.0 255.255.255.0 any

nat (inside) 0 access-list nonat

ip address outside A.B.C.D+1 255.255.255.240

ip address inside 172.16.8.2 255.255.255.0

ip local pool managment_pool 172.16.180.1 mask 255.255.255.255

pdm location 172.16.180.0 255.255.255.0 outside

http server enable

http 172.16.180.1 255.255.255.255 outside

sysopt connection permit-ipsec

crypto ipsec transform-set Managment_set esp-3des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set Managment_set

crypto map dyn-map 10 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup Managment address-pool managment_pool

vpngroup Managment dns-server *.*.*.*

vpngroup Managment default-domain ********.**

vpngroup Managment split-tunnel Managment_interested_traffic

vpngroup Managment idle-time 1800

vpngroup Managment password ********

telnet 172.16.180.1 255.255.255.255 outside

management-access outside

the IPSEC Tunnel is up.. ! and i can ping the interfaces.. ! did i miss something.. ?!

thnx

Hi,

To telnet to the outside intf of your pix from a outside source IP address you'll need SSH access enabled, to do this:

1. Generate RSA keys first:

> in config mode: ca generate rsa key -- use 1024

2. Save the generated keys with:

> ca save all

You can check your new keys by issuing:

> sho ca mypubkey rsa

Now, configure SSH access on the pix by issuing:

> ssh 255.255.255.255 outside

* that "public_source_ip" is the ip from were you are connecting from with SSH.

You can download a free SSH client, I use Putty - which can be obtained freely just type putty.exe on google.com

Now for you other question on running PDM via the IPSec tunnel, read the following URL:

http://www.cisco.com/en/US/products/sw/netmgtsw/ps2032/products_configuration_example09186a0080094497.shtml

I hope this helps and please rate post if does help you.

Jay.

Sir,

As I originally thought, it is indeed your crytpo/nonat acl's. I configured an easyvpn from a vpn client to a pix in my lab. I could initiate a vpn tunnel from the vpn client to the pix and telnet to the outside interface. Your crypto/nonat acl has to state the outside address (host A.B.C.D) to your pool that get's pushed down between IKE Ph1 and Ph2 (config mode). You incorrectly listed the outside pix address in your crypto/nonat acl as a network address (A.B.C.D 255.255.255.240) instead of a host address). Your nonat acl has to reflect the methodology I listed above. Attached is my exact pix configuration:

Also, you DO NOT need to configure ssh, I did not use any additional software such as putty to establish the telnet connection. Let me know how you make out.

adiwakar
Level 1
Level 1

Use ssh from outside the pix

ssh should be enabled by default

ssh ip_address [netmask] [interface_name]

ssh 171.68.225.212 255.255.255.255 outside

default pix usename is pix and password is cisco

good luck

-Aman

Review Cisco Networking for a $25 gift card