Showing results for 
Search instead for 
Did you mean: 

PIX telnet through VPN client?

Level 1
Level 1

Is it possible to telnet to the PIX (inside) interface through a Cisco VPN Client? I have configured VPN client remote access with dynamic crypto maps on the PIX and can get access to the inside network. However, I'm unable to telnet to the PIX inside interface. Is this a security restriction within the PIX? or am I doing something obviously wrong?

Any help would be gratefully received!

Config below;

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxxx

hostname france


fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list acl_out permit tcp any host eq smtp

access-list acl_out permit icmp any any

access-list acl_in permit tcp host any eq smtp

access-list acl_in permit tcp host any eq domain

access-list acl_in permit udp host any eq domain

access-list acl_in permit icmp any any

access-list acl_dyn permit icmp any any

access-list acl_dyn permit ip any host

access-list acl_dyn permit ip any host

access-list no-nat permit ip any host

access-list no-nat permit ip any host

access-list no-nat permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 80.56.x.x.x.255.0

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool

pdm history enable

arp timeout 14400

nat (inside) 0 access-list no-nat

static (inside,outside) 80.x.x.x.168.254.5 netmask 0 0

access-group acl_out in interface outside

access-group acl_in in interface inside

route outside 0.x.x.x.56.43.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set testset esp-3des esp-sha-hmac

crypto dynamic-map DYN-VPN 99 match address acl_dyn

crypto dynamic-map DYN-VPN 99 set transform-set testset

crypto map VPN 99 ipsec-isakmp dynamic DYN-VPN

crypto map VPN client authentication LOCAL

crypto map VPN interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup my-group address-pool vpnpool

vpngroup my-group default-domain

vpngroup my-group idle-time 1800

vpngroup my-group password ********

telnet outside

telnet outside

telnet inside

telnet inside

telnet timeout 5

ssh timeout 5

console timeout 0

username xxx password xxxx

encrypted privilege 2

terminal width 80


: end


3 Replies 3

Patrick Iseli
Level 7
Level 7

Telnet to PIX via an IPSEC Tunnel

management-access mgmt_if

for example:

management-access inside

this allows pdm and telnet access to the pix's inside interface while connecting over an ipsec vpn tunnel




Top Man! Cheers Patrick.

Added the 'management-access interface' command to my PIX, and I can now telnet via VPN client.


The pleasure is mine.

Click on Rate this Post to help identify the most useful NetPro content.