01-25-2005 05:13 AM
Dear Sir,
For management purpose in the implementation phase i want to enable telnet on the outside interface of PIX-506E firewall details for which is as given below.
Kindly guide me with the sample config with necessary access-list for thesame.
Firewall- subnet details
LAN Subnet:- 192.168.100.0/24
Firewall Subet:- 202.100.100.0/28
Firewall External Interface IP:- 202.100.100.1/28
Firewall Internal Interface IP:- 192.168.100.1/24
Default gateway for PC is Internal interface IP of Firewall
Regards
Deepak
01-25-2005 09:30 PM
Hi deepak,
You need to enable SSH to be able to access the pix from outside. the commands to enable ssh is :
ssh x.x.x.x 255.255.255.255 outside
ssh timeout 5
where x.x.x.x is the ip address of the PC from which you are going to access the PIX.
you can refer to the command reference of pix for more reference:
you can have any ssh client like Putty,tectia,F-secure etc to connect to the PIX.
hope this helps.. all the best..
Raj
01-26-2005 05:47 AM
the only way you can do is to configure a lan-to-lan ipsec from remote devices to pix and permit telnet outside interface
here is a simple working config
HTH
aaa authentication telnet console LOCAL
sysopt connection permit-ipsec
crypto ipsec transform-set Router-PIX esp-des esp-sha-hmac
crypto dynamic-map Router-PIX 10 set transform-set Router-PIX
crypto map PIX-Router 10 ipsec-isakmp dynamic Router-PIX
crypto map PIX-Router client authentication LOCAL
crypto map PIX-Router interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet x.x.x.x 255.255.255.255 outside
ROUTER
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address 202.x.x.1
!
!
crypto ipsec transform-set r127 esp-des esp-sha-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
crypto map R127 30 ipsec-isakmp
set peer x.x.100.1
set transform-set r127
match address 103
access-list 103 permit tcp host x.x.x.x host
202.100.100.1 eq telnet
Router#202.x.x.1
Trying 202.x.x.1 ... Open
User Access Verification
Username: ********
Password: ********
Type help or '?' for a list of available commands.
PIX-525>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide