Telnet to PIX from outside 1

[msujit001]

Hi,


Is there any way to telnet to PIX firewall from outside.
I have a Ipsec tunnelbetween two locations say location A and location B.

At location A the ipsec is on router,and on location B the IPsec is termincated on PIX.

At location B,the pix outside is connected to the router and then router is connected to the internet.

Now from location A ,I want to telnet to PIX kept at location B.

But I am able to telnet to router,and then from rouetr I am able to telnet to PIX.
Though I have included the command telnet <location b Ipsec peer> outside,it does'nt allow s me to telnet.

Is there anyway to telnet to PIX kept at location b rom location A.

Regardss,

Sujit.

 

[jdl508]

Just got off the phone with cisco on this one and they have verified that there is NO way to telnet into outside int. Per Yizhar in previous post you could setup an ssh client and set up an ssh key on the PIX. This is also much more secure than regular telnet.
I have set up the ssh client and it works fine just is a bit of a pain because as you said I cant telnet in via router,
jon

 

[Guest_imported]

It is possible to telnet to the PIX external interface provided you have a site-to-site VPN running between the 2 sites.

The Access-list specified in nat (inside) 0 statement shall have rules for IP traffic between the IP address of your workstation and the external interface of remote firewall.

 

[abovebrd]

How about a slight work around.

conduit permit tcp host 10.1.1.1 eq 23 host 10.2.1.1

Telnet to 10.1.1.1 from outside via 10.2.1.1
then telnet to internal interface on PIX.

Create a secure conduit.

Seems to work ok for me.

SSH would work as well.

-Danny
dan@snoboarder.net

 

[Guest_imported]

Why would you want to? Its clear text. This is a huge security issue as your password will pass the net in clear text, or am I wrong here?

 

[Guest_imported]

Ops, never mind. I read your post too fast.... Sorry...

 

[abovebrd]

NtwkGuy you right in that it will pass your telnet password in clear text. This method could also be used with ssh and would be considered the appropriate method today. However I create a secure conduit to a single host for added security. -Danny
dan@snoboarder.net

 

[slachance]

This cisco doc

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/ipsec/advanced.htm#xtocid8

talks about telneting to the outside interface using their VPN Client.

 

[dotxbob]

After consulting this site and scouring the Cisco documents, I figured out how to do the site-site thing. What a pain in the ass--finding the right info, that is. (BTW, I hope noone at Cisco *really* said this can't be done; their docs say in numerous places that it can.)

It's not hard to do. This scenario involves two PIX firewalls with a site-site VPN tunnel between them, connecting two private networks:


172.20.0.0/16---pix1--\/--pix2---172.30.0.0/16

1 2 3 4

Points 1 through 4 are as follows (I doubt this will look right in html):

1 Host(s) in the first network
2 The outside interface of pix1
3 The outside interface of pix2
4 Host(s) in the second network

The trick is to ensure that the external interface traffic is encrypted from the remote site, so that the local PIX will not discard it. In other words, the remote PIX must encrypt the _return_traffic_, or the connection will fail. This makes sense because you are telnetting into the outside interface. What is not obvious is that the traffic originating on that interface is not automatically encrypted, and you must be explicitly call it out in your encryption access list.

To remotely telnet to pix2 from the 172.20.0.0 network, your basic encryption access list (the one for the crypto map) on pix1 would look like this:

access-list <name> permit ip <point_1> <point_4>
access-list <name> permit ip <point_1> <point_3>
:This one encrypts to the ext .interface^^^^

And on pix2

access-list <name> permit ip <point_4> <point_1>
access-list <name> permit ip <point_3> <point_1>
:This one encrypts from the ext. interface back to the network

If you want to remotely access either way, add the appropriate mirror image list entries, that is, from the remote network to the local interface, and the local interface to the remote network, as in:

Pix1:

access-list <name> permit ip <point_1> <point_4>
access-list <name> permit ip <point_1> <point_3>
access-list <name> permit ip <point_2> <point_4>

And on pix2

access-list <name> permit ip <point_4> <point_1>
access-list <name> permit ip <point_3> <point_1>
access-list <name> permit ip <point_4> <point_2>

-db

 

[sunyasee]

Another solution would be to allow telnet access through the Pix to a switch on the inside Lan. Then allow telnet access from the switch IP address to the inside address of the Pix.

access-list inbound permit tcp any host <switch> eq 23

telnet <switch address> inside ----

Sunyasee B-)

 

[wybnormal]

Am I missing something here? why not just set up SSH server and then use a SSH client to connect to the outside interface instead of the troubles? Just remember that the PIX can not be a SSH client, only a server.

This does require 6.1 or 6.2 if I remember correctly but it does work.

MikeS
Find me at

http://www.packetattack.com

&quot;Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots.&quot;
Sun Tzu