- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2006 01:37 PM - edited 03-09-2019 02:15 PM
could someone explain pls what is the exact purpose of management access command.
sebastan
Solved! Go to Solution.
- Labels:
-
Other Security Topics
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-15-2006 03:43 AM
1. it is not feasible to telnet to the pix outside interface under any circumstance, you can only telnet to the inside interface with the command "management-access" over remote vpn access.
2. yes, the command "telnet
3. "but is it possible to have a client who can only have management access to the inside". assuming you are referring to restrict the remote vpn access tothe pix inside interface. with v6.x, vpn connection can be restricted by an inbound acl assuming the command "sysopt connection permit-ipsec" is disabled.
e.g.
no sysopt connection permit-ipsec
access-list 111 permit tcp
access-list 111 permit ip
access-list 111 permit ip
access-group 111 in interface outside
the first entry is used to restrict remote vpn access to telnet to pix inside interface only; the second entry is used to permit another group of remote user to obtain full access with remote vpn access; and the third entry is used to permit lan-lan vpn to a branch office.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2006 02:45 PM
It is "supposed" to allow access to the inside interface for polling the device.
The management-access mgmt_if command enables you to define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The firewall interface names are defined by the nameif command and displayed in quotes, " ", in the show interface output.)
In PIX Firewall software Version 6.3, this command is supported for the following through an IPSec VPN tunnel only, and only one management interface can be defined globally:
•SNMP polls to the mgmt_if
•HTTPS requests to the mgmt_if
•PDM access to the mgmt_if
•Telnet access to the mgmt_if
•SSH access to the mgmt_if
•Ping to the mgmt_if
DC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2006 11:24 PM
just a quick add-on.
a real live scenario would be remote management access to the pix/asa.
a security administrator may need to remote manage the pix from home or potentially anywhere. the most secure way to provide management access is to configure remote vpn access (by cisco vpn client software), and with this command. so that the security administrator can telnet to the pix inside interface after the remote vpn connection is established.
ssh is another way to provide remote management access to the pix, however, providing there is no fixed source ip, the only way is to do "ssh 0.0.0.0 0.0.0.0 outside". it means anyone from the internet can initiate a ssh session to the pix, which may not be an ideal solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-15-2006 02:22 AM
hi jackko thanks for ur detailed explaination. now i got it the remote access client can have access to the inside interface with this command. can we allow the remote access client to telnet to the outside interface of the pix. in the telnet command i have to specify the address of the pool assigned to the client right. do i need any access-list for it. with the management access command i can enable access to the inside interface of the pix . but is it possible to have a client who can only have management access to the inside .he should be able to talk to any inside resources is it possible. pls explain me if it's possible. thank u for all ur help . hope to see ur reply.
sebastan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-15-2006 03:43 AM
1. it is not feasible to telnet to the pix outside interface under any circumstance, you can only telnet to the inside interface with the command "management-access" over remote vpn access.
2. yes, the command "telnet
3. "but is it possible to have a client who can only have management access to the inside". assuming you are referring to restrict the remote vpn access tothe pix inside interface. with v6.x, vpn connection can be restricted by an inbound acl assuming the command "sysopt connection permit-ipsec" is disabled.
e.g.
no sysopt connection permit-ipsec
access-list 111 permit tcp
access-list 111 permit ip
access-list 111 permit ip
access-group 111 in interface outside
the first entry is used to restrict remote vpn access to telnet to pix inside interface only; the second entry is used to permit another group of remote user to obtain full access with remote vpn access; and the third entry is used to permit lan-lan vpn to a branch office.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-16-2006 04:02 AM
hi jackko thanks a lot once again.in 7.0 we have a option for specifying the privilege level for the remote vpn user also. by which we can spceify the privilege level access he gets on the command line. am i right? i have not tried it yet.thanks for all ur help once again.
sebastan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-16-2006 05:59 AM
haven't try this before. i believe it is similar to rotuer ios. i.e. level retricts user to issue commands after login.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-16-2006 12:16 PM
hi jackko thanks once again.
sebastan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-03-2006 06:42 PM
hi jackko strange problem. i am having a site to site vpn between a pix and a router. i have enabled management access outside . and i have configured telnet outside with the subnet behind the router. the router is connected to the outside of the pix. in the crypto acl of the pix it's betwen the outside interface ip address and the subnet behind the router. and vice versa for the router also. the ipsec session is up. when i telnet from the router to the pix outisde. i get a blank screen where i cannot type any commands. what could be the problem. i tried with the inside interface and it works perfectly fine. on the pix conneciton entry i can see the telnet session established also. can u pls help me. is telnet allowed on the outside interface from a site a site vpn tunnel .pls help. waiting for ur reply.
sebastan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2006 07:30 PM
pix (1.1.1.1) <--> www <--> (1.1.1.2) router (192.168.0.1) <--> 192.168.0.x
you mentioned "when i telnet from the router to the pix outisde. i get a blank screen where i cannot type any commands. what could be the problem."
assuming the lan-lan vpn is between the pix outside interface and the 192.168.0.x; then any host at 192.168.0.x shoudl be able to telnet to the pix outside. i actually did a test and it works, so telnet to the pix outside would work with ipsec.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-05-2006 11:18 AM
i h jackko u mean to say i am right with my configuration right. do i have to give any management access command . could this be a bug in the ios not sure. thanks anyways .
sebastan
