[pix 525] 6.3(4) How to configure telnet on outside?

Discussion in 'Cisco' started by voytas, Sep 8, 2006.

  1. voytas

    voytas Guest

    Welcome,

    i have problem with configure telnet connection on outside interface.
    with inside and dmz interfaces the issues is clear. i add:
    telnet ip_addr inside
    and that's all what the inside interface needs

    but what else to add for outside interface than 'telnet ip_addr
    outside'?

    and another thing. How is very basic configuration for pix (ver. like
    in title) to connetc form inside to outside? my net is

    aaa.bbb.ccc.ddd aaa.bbb.ccc.ddd+1
    -------[router]-------------------------------------[pix]---------- dmz
    192.168.2.1
    |
    |
    | inside
    192.168.1.1
     
    voytas, Sep 8, 2006
    #1
    1. Advertisements

  2. voytas

    CCIE 15766 Guest

    I have never tried to permit telnet from outside, because it is not
    safe. But I think you should add ACL to permit telnet traffic, in
    additional to [telnet] command. I am not very sure about it.

    To permit outbound traffic, you have to configure NAT.
     
    CCIE 15766, Sep 8, 2006
    #2
    1. Advertisements

  3. voytas

    Merv Guest

    If this is for a premanenet set up then you should use SSH for acccess
    to outside interface
     
    Merv, Sep 8, 2006
    #3
  4. There are only two ways to do it:

    1) set up a VPN connection that allows traffic to the outside
    interface, and then run the telnet within the VPN; or

    2) set up a VPN connection that allows traffic to the inside
    interface specially marked as being a "management interface", and then
    run the telnet within the VPN.

    The PIX refuses to allow plain-text telnet to the outside interface.

    Normal command-line management from outside is via ssh, not telnet.
    For ssh, be sure to use 'ca generate' to generate an RSA key, and
    'ca save all' to save that key permanently ("write memory" does not
    save the RSA key.) Then you can use the 'ssh' command to allow access.
     
    Walter Roberson, Sep 8, 2006
    #4
  5. ip address inside 192.168.1.1 255.255.255.0
    ip address dmz 192.168.2.1 255.255.255.0
    ip address outside aaa.bbb.ccc.ddd+1
    nat (inside) 1 192.168.1.0 255.255.255.0
    global (outside) 1 interface


    That's about it.

    Note: you did not ask for any data to be allowed to or from the dmz,
    so the above configuration does not permit the dmz to talk to anything.
     
    Walter Roberson, Sep 8, 2006
    #5


  6. The PIX is build to refuse telnet from outside !
    Funny part is that you acually CAN add the command telnet 0 0 outside, but
    when you try the telnet from outside your logg will say:
    "..Packt is not an IPSEC Packet)
    I.e. the PIX expect telnet to be encrypted (As Walther R. replied aswell)
    So the best is to use SSH, and a SSH client such as putty.exe (google it)
    Or if you must - only encrypeted sessions are allowed, so you need to create
    VPN tunnel and add the command : Management acess inside.
    The you can connect the tunnel and telnet to the PIX inside IP, via the
    outside tunnel.

    HTH
    Martin Bilgrav
     
    Martin Bilgrav, Sep 9, 2006
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.