Re: Allow Telnet/PDM over Net..S.O.S.Pix 6.3

gopal_voip · ‎09-02-2005

hi

my need is very simple , i would like to access my pix which is in remote location via telnet and pdm.

The pix has "outside" interface as private IP and "inside" interface has a public ip , x.199.213.1 , and i would like to access by telneting or doing https to this very ip, x.199.213.1.

where am i going wrong!!!

Shukky

India

bigchoice75 · ‎09-02-2005

First off....you should never directly connect your inside interface to the internet. By default, the pix allows all traffic from the inside to outside, setting the pix up in this manner allows all traffic from the internet to bypass pix and enter your private network. You should change the config and point your outside interface toward the internet, once this is done you'll need to enter the commands:

http server enable

http 0 0 outside

this enables pdm access from all internet hosts, if you'd like to restrict traffic to only certain hosts you can enter something like this:

http 192.168.10.1 255.255.255.255 outside

Secondly, you cannot telnet to the outside interface unless you use IPSec. Instead, you may want to use SSH since it's easier to configure and also provides data confidentiality. You can enable this by entering the follow commands (you must first configure the hostname and domain of the pix):

ca zeroize rsa

ca generate rsa key 512

ca save all

you should then be able to use ssh to access pix.

good luck

jmia · ‎09-02-2005

Hi,

Following on from the post, use SSH (see other post) to manage the PIX. To access PDM I would suggest that you do this via a VPN. Take a look at the following document:

http://www.cisco.com/en/US/products/sw/netmgtsw/ps2032/products_configuration_example09186a0080094497.shtml

Also, if the above is not possible what you could do is setup VPN client access on your remote PIX and then access PDM via the VPN.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

Now all you need to do on your remote PIX is to enable PDM by:

http server enable

http 10.0.1.0 255.255.255.0 inside

*the 10.0.1.0 /24 address space is taken from the ip local pool for VPN clients – see the above URL.

The key here is to enable access to the inside interface of your PIX , so you’ll also need to enable this by:

(in config mode)

management-access inside

You can check to see if you can reach the inside interface of the PIX via the VPN Client by pinging the inside interface IP of your PIX – you should get a reply! As soon as this is confirmed you can open up your web browser and open up PDM i.e.

https://

I think the 2nd option will be better for you.

Hope this helps and if it does please rate post as it might help others.

Thanks –

Jay

gopal_voip · ‎09-05-2005

hi

thanx for all the inputs, im again posting my update and what i have doen and from where..pls advice.

i will surely rate this post.

(config)# sh ca mypubkey rsa

% Key pair was generated at: 16:44:16 UTC Sep 5 2005

Key name: IITM-PiX.ciscopix.com

Usage: General Purpose Key

Key Data:

30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00b7d437

818c206d 4beaf0e4 0322e88e abf365ce d022a827 2b6fbd12 f464469c f4c2090e

hope this helps.

shukky

India

gopal_voip · ‎09-05-2005

hi

im still waiting..

i have SSHed into a pc in the network but cant telnet or ssh from that ssh server pc to any other device..

pls enlighten me..

Shukky

India

bigchoice75 · ‎09-06-2005

are you trying to ssh into the PIX from the pc or through the pix? please be more specific.

gopal_voip · ‎09-06-2005

hi

thna xfor ur reply , im trying to telnet and ssh into the pix, not thru it.

once i ssh into the network ssh server i cant telnet or ssh anywhere else.

pls advice

Shukky

India

rating_is_vital · ‎09-06-2005

Hi,

I am confused. You try to ssh to the PIX and all the above posts are related to that. Now you mentioned the issue is - " once i ssh into the network ssh server i cant telnet or ssh anywhere else."

In order to further assist you, what exactly you try to achieve?

bigchoice75 · ‎09-07-2005

yes, i am confused as well.

gopal_voip · ‎09-08-2005

hii

ok ok ok...big confusion..

first thing first :

What i wanted :

1. if i could ssh into the pix 's inside interface ip add which is public ip from the outside interface over internet.

result : cudnt do a damn thing.

What i did!!

1. i had a server class pc with a public ip in the inside net of pix, told my gyu to make that pc as a SSH server, which he did.I SSHed into that machine, no probs.

now i thought if im in that ssh server , i can also ssh into the pix from that remote machine.but it just didnt happen. i was not able to ssh or telnet from that machine.but the guy sitting there on that machine locally was able to do all: ping/telnet/ssh.

so here iam sitting at a remote site cant access my pix.

so im now thinking to do a RADMIN instaallation and simulate teh same thing.

but i need a solution for my iisue.

my config are ok.. pls advice.

Shukky

India