Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Telnet to PIX from outside interface 2

Status
Not open for further replies.

yizhar

MIS
Sep 1, 2001
2,282
IL
HI!

Can I access a PIX (ver 5.2) with telnet from the outside interface,
without first configuring IPSEC and so?

I know it is not secure, but need this option on a temporary basis.

Is this command enough (as I tried it didn't work for me)?

TELNET a.b.c.d 255.255.255.255 outside

If not, then do I need only to configure the PIX itself (and how)?
or do I need also IPSEC configuration on the telnet client (Win98) side?


I have read chapter #12 in this article

Which sais:
"
If IPSec is in place, you can let a host on the outside interface access the PIX Firewall console. Use a command such as:

telnet 209.165.200.225 255.255.255.224 outside
"
But what in IPSEC? What about the other side?

Any sample configuration will help, I will also search CCO.


Thanks

Yizhar
Yizhar Hurwitz
 
The PIX will only allow telnet from the inside unless you setup IPSEC.

If you have a manageable switch or a router on the inside, you can create the static mapping and appropriate telnet access-list and telnet to the switch/router. From there you can telnet into the PIX.

You can also use the PDM GUI. I'm not a fan of the GUI interface but I think it will let you do most of the config with the exception of VPN configurations. If you do use the PDM, limit the outside connection to your specific address or subnet.
 
Here is an example.
access-list 108 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 108 permit ip host <ip address of pix external interface> 192.168.2.0 255.255.255.0
telnet 192.168.2.0 255.255.255.0 outside
ip local pool clientpool 192.168.2.50-192.168.2.75
nat (inside) 0 access-list 108
sysopt connection permit-ipsec
isakmp enable outside
isakmp key ******* address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local clientpool outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
crypto ipsec transform-set cspmset esp-des esp-md5-hmac
crypto dynamic-map dynmap 1 set transform-set cspmset
crypto map mymap 1 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top