egeiyioglu
asked on
Getting VPN clients to telnet PIX
Hi there
I have a PIX 501 and remote vpn clients connecting through Microsoft XP's VPN client.
I can telnet to the PIX from within the local network, and the VPN clients get the same ip range but they cannot ping the pix nor telnet to the pix. How can I solve this? I also have a problem where I cannot reach it from outside via telnet or ssh. I use ssh1 , it asks me for DES or 3DES, and whichever I select it asks me for a username & password, I use the username & password and it does not accept it.
Here's my running config.
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 192.168.1.0 255.255.255.128
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168
.1.0 255.255.255.128
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.9
access-list splittunnelacl permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool esher 192.168.1.50-192.168.1.70
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.128 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
isakmp nat-traversal 30
vpngroup PPTP-VPDN-GROUP split-tunnel splittunnelacl
vpngroup PPTP-VPDN-GROUP idle-time 1800
vpngroup pptp-vpdn-group split-dns abcmusic.local
vpngroup pptp-vpdn-group idle-time 1800
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local esher
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.1.9 158.152.1.43
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username wimbledon password *********
vpdn username beneales password *********
vpdn username hounslow password *********
vpdn username kianchanter password *********
vpdn username kew password *********
vpdn username markbaker password *********
vpdn username nigelcorby password *********
vpdn enable outside
dhcpd address 192.168.1.10-192.168.1.40 inside
dhcpd dns 192.168.1.9 158.152.1.43
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
I have a PIX 501 and remote vpn clients connecting through Microsoft XP's VPN client.
I can telnet to the PIX from within the local network, and the VPN clients get the same ip range but they cannot ping the pix nor telnet to the pix. How can I solve this? I also have a problem where I cannot reach it from outside via telnet or ssh. I use ssh1 , it asks me for DES or 3DES, and whichever I select it asks me for a username & password, I use the username & password and it does not accept it.
Here's my running config.
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 192.168.1.0 255.255.255.128
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168
.1.0 255.255.255.128
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.9
access-list splittunnelacl permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool esher 192.168.1.50-192.168.1.70
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.128 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
isakmp nat-traversal 30
vpngroup PPTP-VPDN-GROUP split-tunnel splittunnelacl
vpngroup PPTP-VPDN-GROUP idle-time 1800
vpngroup pptp-vpdn-group split-dns abcmusic.local
vpngroup pptp-vpdn-group idle-time 1800
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local esher
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.1.9 158.152.1.43
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username wimbledon password *********
vpdn username beneales password *********
vpdn username hounslow password *********
vpdn username kianchanter password *********
vpdn username kew password *********
vpdn username markbaker password *********
vpdn username nigelcorby password *********
vpdn enable outside
dhcpd address 192.168.1.10-192.168.1.40 inside
dhcpd dns 192.168.1.9 158.152.1.43
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
>and the VPN clients get the same ip range but they cannot ping the pix nor telnet to the pix
I would assign my VPN clients a different IP range.
>I also have a problem where I cannot reach it from outside via telnet or ssh
ssh:
Did you generate your RSA keys first?
telnet:
You only allow telnet from "telnet 192.168.1.0 255.255.255.0 inside"
harbor235 ;}
I would assign my VPN clients a different IP range.
>I also have a problem where I cannot reach it from outside via telnet or ssh
ssh:
Did you generate your RSA keys first?
telnet:
You only allow telnet from "telnet 192.168.1.0 255.255.255.0 inside"
harbor235 ;}
Instead of opening SSH or (especially) telnet from the outside, which will be constantly under attack, you could use remote desktop to a server on the inside, and use the local telnet/ssh (putty) client on the server to manage the PIX.
Good Luck
Good Luck
ASKER
tmassa99, this already works, I just want to be able to connect to the PIX when I establish a vpn connection without going through the hassle of connecting to another machine first.
Still have my second solution...
(2) Insecure: Allow SSH/telnet on your outside interface of your PIX.
(2) Insecure: Allow SSH/telnet on your outside interface of your PIX.
NEVER PUT TELNET ON THE OUTSIDE INTERFACE
maybe ssh
maybe ssh
ASKER
ok. I won't allow telnet on the outside interface, I now that it is insecure. But I want to enable telnet when I am on an encrypted VPN, I don't think this is too insecure.. Is there a way to do it besides rdp'ing into a local client?
ASKER
hwllo?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
When you connect to the pix via ssh, the username is: 'pix' and the password is the passwd - which is whatever you set. Then you can connect from the outside world.
Thank you. I appreciate the nod.
Well, it consider abandoned. Still i think this is wat egeiyioglu looking for.
Step to allow telnet via VPN client. I done it with Cisco VPN client, works fine everytime i do it.
1) Allow https, ssh, and telnet via VPN; use command pix(config)#management-acc
2) Allow telnet from VPN client; use command pix(config)#telnet <your VPN client IP address range and subnet> inside
( which is u already done it.)
Cheer
chchua
Step to allow telnet via VPN client. I done it with Cisco VPN client, works fine everytime i do it.
1) Allow https, ssh, and telnet via VPN; use command pix(config)#management-acc
2) Allow telnet from VPN client; use command pix(config)#telnet <your VPN client IP address range and subnet> inside
( which is u already done it.)
Cheer
chchua
Instead you have 2 options
(1) Most secure: connect to an internal device and use that device to connect to PIX
-or-
(2) Insecure: Allow SSH/telnet on your outside interface of your PIX. If you do #2, be sure to limit it to specific IP addresses (if possible) and use a strong password; however, all in all still a bad idea.