Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8357
Views
17
Helpful
10
Replies

what is the management access command for

Go to solution
sebastan_bach
Level 4
Level 4

‎03-14-2006 01:37 PM - edited ‎03-09-2019 02:15 PM

could someone explain pls what is the exact purpose of management access command.

sebastan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jackko
Level 7
Level 7
In response to sebastan_bach

‎03-15-2006 03:43 AM

1. it is not feasible to telnet to the pix outside interface under any circumstance, you can only telnet to the inside interface with the command "management-access" over remote vpn access.

2. yes, the command "telnet inside" is required on top of the "management-access" command. typically, no acl should be needed.

3. "but is it possible to have a client who can only have management access to the inside". assuming you are referring to restrict the remote vpn access tothe pix inside interface. with v6.x, vpn connection can be restricted by an inbound acl assuming the command "sysopt connection permit-ipsec" is disabled.

e.g.

no sysopt connection permit-ipsec

access-list 111 permit tcp host eq 23

access-list 111 permit ip

access-list 111 permit ip

access-group 111 in interface outside

the first entry is used to restrict remote vpn access to telnet to pix inside interface only; the second entry is used to permit another group of remote user to obtain full access with remote vpn access; and the third entry is used to permit lan-lan vpn to a branch office.

View solution in original post

10 Replies 10

Go to solution
davidecooper1967
Level 1
Level 1

‎03-14-2006 02:45 PM

It is "supposed" to allow access to the inside interface for polling the device.

The management-access mgmt_if command enables you to define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The firewall interface names are defined by the nameif command and displayed in quotes, " ", in the show interface output.)

In PIX Firewall software Version 6.3, this command is supported for the following through an IPSec VPN tunnel only, and only one management interface can be defined globally:

•SNMP polls to the mgmt_if

•HTTPS requests to the mgmt_if

•PDM access to the mgmt_if

•Telnet access to the mgmt_if

•SSH access to the mgmt_if

•Ping to the mgmt_if

DC

Go to solution
jackko
Level 7
Level 7
In response to davidecooper1967

‎03-14-2006 11:24 PM

just a quick add-on.

a real live scenario would be remote management access to the pix/asa.

a security administrator may need to remote manage the pix from home or potentially anywhere. the most secure way to provide management access is to configure remote vpn access (by cisco vpn client software), and with this command. so that the security administrator can telnet to the pix inside interface after the remote vpn connection is established.

ssh is another way to provide remote management access to the pix, however, providing there is no fixed source ip, the only way is to do "ssh 0.0.0.0 0.0.0.0 outside". it means anyone from the internet can initiate a ssh session to the pix, which may not be an ideal solution.

Go to solution
sebastan_bach
Level 4
Level 4
In response to jackko

‎03-15-2006 02:22 AM

hi jackko thanks for ur detailed explaination. now i got it the remote access client can have access to the inside interface with this command. can we allow the remote access client to telnet to the outside interface of the pix. in the telnet command i have to specify the address of the pool assigned to the client right. do i need any access-list for it. with the management access command i can enable access to the inside interface of the pix . but is it possible to have a client who can only have management access to the inside .he should be able to talk to any inside resources is it possible. pls explain me if it's possible. thank u for all ur help . hope to see ur reply.

sebastan

0 Helpful

Go to solution
jackko
Level 7
Level 7
In response to sebastan_bach

‎03-15-2006 03:43 AM

1. it is not feasible to telnet to the pix outside interface under any circumstance, you can only telnet to the inside interface with the command "management-access" over remote vpn access.

2. yes, the command "telnet inside" is required on top of the "management-access" command. typically, no acl should be needed.

3. "but is it possible to have a client who can only have management access to the inside". assuming you are referring to restrict the remote vpn access tothe pix inside interface. with v6.x, vpn connection can be restricted by an inbound acl assuming the command "sysopt connection permit-ipsec" is disabled.

e.g.

no sysopt connection permit-ipsec

access-list 111 permit tcp host eq 23

access-list 111 permit ip

access-list 111 permit ip

access-group 111 in interface outside

the first entry is used to restrict remote vpn access to telnet to pix inside interface only; the second entry is used to permit another group of remote user to obtain full access with remote vpn access; and the third entry is used to permit lan-lan vpn to a branch office.

Go to solution
sebastan_bach
Level 4
Level 4
In response to jackko

‎03-16-2006 04:02 AM

hi jackko thanks a lot once again.in 7.0 we have a option for specifying the privilege level for the remote vpn user also. by which we can spceify the privilege level access he gets on the command line. am i right? i have not tried it yet.thanks for all ur help once again.

sebastan

0 Helpful

Go to solution
jackko
Level 7
Level 7
In response to sebastan_bach

‎03-16-2006 05:59 AM

haven't try this before. i believe it is similar to rotuer ios. i.e. level retricts user to issue commands after login.

0 Helpful

Go to solution
sebastan_bach
Level 4
Level 4
In response to jackko

‎03-16-2006 12:16 PM

hi jackko thanks once again.

sebastan

0 Helpful

Go to solution
sebastan_bach
Level 4
Level 4
In response to sebastan_bach

‎04-03-2006 06:42 PM

hi jackko strange problem. i am having a site to site vpn between a pix and a router. i have enabled management access outside . and i have configured telnet outside with the subnet behind the router. the router is connected to the outside of the pix. in the crypto acl of the pix it's betwen the outside interface ip address and the subnet behind the router. and vice versa for the router also. the ipsec session is up. when i telnet from the router to the pix outisde. i get a blank screen where i cannot type any commands. what could be the problem. i tried with the inside interface and it works perfectly fine. on the pix conneciton entry i can see the telnet session established also. can u pls help me. is telnet allowed on the outside interface from a site a site vpn tunnel .pls help. waiting for ur reply.

sebastan

0 Helpful

Go to solution
jackko
Level 7
Level 7
In response to sebastan_bach

‎04-04-2006 07:30 PM

pix (1.1.1.1) <--> www <--> (1.1.1.2) router (192.168.0.1) <--> 192.168.0.x

you mentioned "when i telnet from the router to the pix outisde. i get a blank screen where i cannot type any commands. what could be the problem."

assuming the lan-lan vpn is between the pix outside interface and the 192.168.0.x; then any host at 192.168.0.x shoudl be able to telnet to the pix outside. i actually did a test and it works, so telnet to the pix outside would work with ipsec.

0 Helpful

Go to solution
sebastan_bach
Level 4
Level 4
In response to jackko

‎04-05-2006 11:18 AM

i h jackko u mean to say i am right with my configuration right. do i have to give any management access command . could this be a bug in the ios not sure. thanks anyways .

sebastan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents