Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

telnetting to PIX 506

Status
Not open for further replies.
gman10

gman10

Technical User
Jul 20, 2001
451
0
0
US
Hey all-

generally if I want to telnet to a PIX 506.. I know to input telnet XX.XXX.XX.XXX at the cmd prompt but what port should I assume putting in.. this baffles me but I know my syntax is correct.. it is something like this, c>telnet 192.168.0.2 (port number but don't know which one)..

thx for any help..

gman
 
Sort by date Sort by votes
you don't actually need to type the port in - when using the telnet command it assumes port 23
so either
telnet 192.168.0.2
or
telnet 192.168.0.2 23
should both work.

tony
 
Upvote 0 Downvote
If you cannot telnet to your firewall using just
telnet 192.168.0.2
then most probably you have to enable telnet access for your workstation or it could be that there is no network connectivity between the firewall and your workstation.
To enable telnet, connect to the firewall via the console port, enter in the configuration mode and allow telnet using this command (let's say your workstation's IP is 192.168.0.100):

telnet 192.168.0.100

Adrian Grigorof
FireGen for Pix Log Analyzer
 
Upvote 0 Downvote
thx Adrian!

I was wondering if you can help me with a current situation concerning a PIX 501.. if you have time.. well here goes my story:

I had this PIX deployed at customer site which was configured by someone that doesn't work here anymore.. I'd like certain people including myself to be able to VPN to it from our remote office.. I will post the config and am wondering what I need to edit in order for this functionality to happen. It doesn't look like there is an outside address configured on the PIX so my VPN client needs an outside address interface (entry) to be inputted.. Also, this PIX is sitting behind a cable modem where addresses are probably assigned via DHCP from what I gather. Well, here's the config, if anyone can shed some light, that would be great!

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 4.hz0DbMxoBv3gTr encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname NSUHPIX501
domain-name CANSUH.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 10.0.0.144 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.144 255.255.255.240
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool NSUHAdminsPool 10.0.0.151-10.0.0.155
pdm location 24.46.16.0 255.255.240.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 24.46.16.0 255.255.240.0 outside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup NSUHAdmins address-pool NSUHAdminsPool
vpngroup NSUHAdmins idle-time 1800
vpngroup NSUHAdmins password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:477fea9b79bc2365b88b40548f5fb962
: end
[OK]


thx again!
gman
 
Upvote 0 Downvote
Obviously, you need to know the IP address or the host name of the firewall in order to connect with your VPN client. If the IP address is dynamically assigned, you may have to use a dynamic dns agent behind your firewall that could update the host name (and you would use that host name in your vpn client). Once you fix this issue, then you may start to worry about the Pix configuration. There are many resources on the web about dynamic dns clients. See:
- it contains links to various dynamic dns sites. Most of them are free.


Adrian Grigorof
FireGen for Pix Log Analyzer
 
Upvote 0 Downvote
thx Adrian,

I was wondering if I restage the PIX back on the cable modem and did a "sh interface" wouldn't that tell me the outside address.. then I could plyg that info into my VPN client host text box.. I realize that this address could change at any point since it's dynamic and then my VPN wouldn't work anymore.. what do you think?

gman
 
Upvote 0 Downvote
Thx Adrian!!

That will do it, I'll work on a potential static address later on.. just need instant functionaltiy for now to satisfy the money people!! FYI, the config I posted above was designed by someone else and is no longer with our company.. I had removed the access lists that he created and added my own and then I assigned them to an access-group since my predecessor never did that.. so I substituted

access-list inside_outbound_nat0_acl permit ip any 10.0.0.144 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.144 255.255.255.240

with

access-list inbound permit ip 10.0.0.0 255.255.255.0 any
and
access-group inbound in interface outside

Do you think that will do it? This seems more logical.. no?
Remember, all I want to do is VPN to this customers PIX from my remote office, they will never need to go outside for anything.. VPN etc...

thanks aagin so much!
gman[morning]


 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
140
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
139
Johnkite
Johnkite
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
42
brownmab53
brownmab53
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
116
nnaarrnn
nnaarrnn
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
35
xwray
xwray

Part and Inventory Search

Sponsor

Back
Top