two questions VPN IP & Telnet access

chris.mckenna · ‎10-24-2002

Hi Everyone,

My first question is what IP will clients get if they VPN to the network. The clients are running the Cisco Secure client and tunnel to a PIX 506E with the configuration listed below. Can I specify a scope or pool of IP's that the clients get when they make a VPN connection to the network?

The second issues is I am unable to get remote telnet or SSH access form the outside interface. As you will see in the config I have enabled both of those services to a specific IP. This IP is statically assigned to me by my ISP on my cable modem. I would like to be able to access the firewall from my home for administration. I would like to use SSH for the enhanced security but cannot get either option to work. Telnet times out without ever making a connection. I am using putty as an SSH client, it seems to connect but the authentication fails. I have tried using root an d admin as the user name and have tried both the telnet and enable passwords. I know the passwords are correct as I can login from the inside interface.

Here is a copy of the config file any suggestions would be apprecieated:

Building configuration...

: Saved

:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxx encrypted

passwd xxxxxxxxx encrypted

hostname fw1

domain-name xyz.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 192.168.0.10 Rob

name 192.168.0.2 Phone_System

name xxx.x.x.xxx ILX

access-list outside_access_in permit tcp any range 8194 8294 host 64.243.xxx.xx

access-list outside_access_in permit tcp any range 1025 6000 host 64.243.xxx.xx

access-list outside_access_in permit udp any range 48129 48192 host 64.243.xxx.xx

access-list outside_access_in permit tcp host ILX eq 11112 any

access-list outside_access_in permit tcp host ILX eq 11114 any

access-list outside_access_in permit tcp host ILX eq www any

access-list outside_access_in permit udp host ILX any

access-list outside_access_in permit tcp any eq 5566 host 64.243.xxx.xx eq 5566

access-list outside_access_in permit udp any range 5004 5005 host 64.243.xxx.xx range 5004 5005

access-list outside_access_in permit udp any eq 5567 host 64.243.xxx.xx eq 5567

pager lines 24

logging on

logging buffered warnings

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 64.243.xxx.xx 255.255.255.252

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.0 255.255.255.255 inside

pdm location 192.168.0.255 255.255.255.255 inside

pdm location 66.189.xx.xx 255.255.255.255 outside

pdm location Rob 255.255.255.255 inside

pdm location ILX 255.255.255.255 outside

pdm location 66.189.xx.xx 255.255.255.0 outside

pdm history enable

arp timeout 14400

global (outside) 2 64.243.xxx.xx-64.243.xxx.xx netmask 255.255.255.248

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) udp 64.243.xxx.xx 4900 192.168.0.255 4900 netmask 255.255.255.255 0 0

static (inside,outside) udp 64.243.xxx.xx 5960 192.168.0.255 5960 netmask 255.255.255.255 0 0

static (inside,outside) 64.243.xxx.xx Rob netmask 255.255.255.255 0 0

static (inside,outside) 64.243.xxx.xx Phone_System netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 64.243.xxx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 66.189.xxx.xx 255.255.255.255 outside

http Phone_System 255.255.255.255 inside

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community 2d2d2d

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

telnet 66.189.xx.x 255.255.255.0 outside (thecomplete IP is in the actual config)

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh 66.189.xx.xx 255.255.255.255 outside

ssh 192.168.0.0 255.255.255.0 inside

ssh timeout 5

dhcpd address 192.168.0.16-192.168.0.254 inside

dhcpd dns 209.xxx.xx.x 209.xxx.xx.x

dhcpd lease 259200

dhcpd ping_timeout 750

dhcpd domain xxxx.com

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:0be1e5eba2d62b36f9c3fd325e15662b

: end

[OK]

Nairi Adamian · ‎10-24-2002

You can define a pool using the following command:

ip local pool ippool 10.48.67.1-10.48.67.20

And then assign the pool to the client settings depending on what client software you are using. The following link has a sample configuration for this:

http://www.cisco.com/warp/customer/110/B.html

It is not possible to telnet to the outside interface of the pix unless you are going through IPSEC. For SSH the username by default is pix and password is the telnet password.

hope this helps,

-Nairi