Telnet Connection on Outside Interface 1

[Sweetworks]

I a configuring a Pix 506e (6.3(5) ) at a new remote office that will connect back to our network via our 3005 concentraitor. I used an existing group and created a new user. On the Pix, I used the Easy VPN option and the VPN Tunnel is working.

Before we send it out we want to make sure we can remotely connect to the Pix (telnet or PDM) to be able to modify it as needed. I can telnet or connect to the PDM if I am on the subnet, but not from my PC on the main network.

I read in my Pix Text book "the Pix does not permit inbound telnet connections on its outside interface unless IPSec is configured on that interface for a secure VPN connection."

As I have a secure IPSec tunnel, what am I missing for the config.

Here is my Config

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password nQCEf5r.sF1I3M7E encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname wil-vpn
domain-name us.sweet.org
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 512
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.20.0.0 DEP
name 10.30.0.0 DEP2
name 10.19.0.0 KAN
name 10.18.0.0 MTP
name 10.26.0.0 DEPC
name 10.16.0.0 MON
name 10.21.0.0 LUM
name 10.23.0.0 COL
name 10.22.0.0 BRV
name 10.17.0.0 ONT
name 10.25.0.0 LUMC
name 10.26.2.0 WIL
access-list 101 permit ip host 60.171.5.69 DEP 255.255.0.0
access-list 101 permit ip host 10.26.2.101 DEP 255.255.0.0
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 60.171.5.69 255.255.255.240
ip address inside 10.26.2.101 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location WIL 255.255.255.255 inside
pdm location DEP 255.255.255.255 outside
pdm location DEP 255.255.0.0 outside
pdm location 60.171.5.65 255.255.255.255 outside
pdm location 63.138.62.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 60.171.5.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
http server enable
http DEP 255.255.0.0 outside
http WIL 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
isakmp enable outside
telnet DEP 255.255.0.0 outside
telnet WIL 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 10.26.2.200-10.26.2.254 inside
dhcpd dns 10.20.0.20 10.20.0.21
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain us.sefar.org
dhcpd enable inside
username admin password n6lCXg13Ff6Q5hNS encrypted privilege 15
vpnclient server 70.145.82.68
vpnclient mode network-extension-mode
vpnclient vpngroup sohogrp password ********
vpnclient username wilpix password ********
vpnclient management tunnel 10.20.0.0 255.255.0.0
vpnclient enable
terminal width 80
Cryptochecksum:c3a052fc53bfb6b946a4b1519434c3c3
: end

 

[aisdale]

I would just grant myself telnet access to a switch or router on the inside and then telnet to the PIX from there?

 

[Sweetworks]

Tried it. Didn't work as the router is on the outside interface.

I could easily connect to a device on the inside and configure it, but if something happens to the VPN then I won't be able to connect.

 

[Supergrrover]

The pix won't allow unsecured telnet access from the outside. You should use SSH instead. Putty is a free SSH client, and SecureCRT is my favorite but it isn't free.

To allow SSH to PIX
ca generate rsa key [keysize - 1024, 2048] (I recomment 2048)
ca save all
ssh 0.0.0.0 0.0.0.0 outside
write mem


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Sweetworks]

Thanks Supergrrover

I followed the above.

When I try to log in with Putty It doesn't accept my password.

I used the admin username and the password I created for it.

I created a new user as follows.

username sweet password sweetworks privilege 15

I enter that in Putty when prompted and get an error.

 

[Supergrrover]

Use
Username: pix
password: enable password
Then to into priv mode, you do sweet/sweetworks.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Sweetworks]

It worked... Thanks

 

[Sweetworks]

Additional Question. Any idea on how to get the PDM to work over the Outside interface? I prefer working out of the Command Line and the GUI.

 

[Supergrrover]

I have not tried this, but just add another http line like this
http 0.0.0.0 0.0.0.0 outside
and try to connect using https. I don't use the pdm, but that should work for you.

repeat after me- the cli is my friend!


Brent
Systems Engineer / Consultant
CCNP, CCSP