• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 813
  • Last Modified:

Can't telnet into PIX across subnets

I am trying to access a PIX 506e across subnets and I am unable to directly telnet into it at  If I VNC into a workstation at on the other subnet I can then telnet into the PIX.  There is a site to site VPN between the two PIX devices.  I can ping everything on the other subnet from a server on the main 192.168.0.x subnet.

Main office:
PIX 515e /24

Branch office:
PIX 506e /24

I added the following to the PIX 515e:
access-list nonat permit ip

I also have an access list set up for the VPN as follows:
access-list 109 permit ip

I'm not sure what is stopping the ability to telnet directly into from a server at

I added the following to the PIX 506e but it didn't seem to work:
telnet inside

Thanks for your help!
  • 2
1 Solution
If the target PIX is running 6.3 series (command not supported in 6.2 or earlier), add this to the config:
  management-access inside

>I'm not sure what is stopping the ability to telnet directly into from a server at
It is purely in the design of the PIX. It was designed to restrict all access to the inside interface from outside.
As calvinetter mentioned, there is one workaround to use the "management-access inside" command. This will make the inside interface available to external users, but only with VPN tunnel.
Personally, I never use Telnet to a PIX. I much prefer using the secure PDM GUI, or SSH to the public IP and just restrict access to http/ssh to the public ip of the other side pix.
jplagensAuthor Commented:
The PIX 515e is running 6.3(4)
The PIX 506e is running 6.3(4)

I added  management-access inside on both PIX's.  

From the PIX 506 at the remote office I can telnet into  From the PIX 515 at the main office I cannot telnet into

This is the PIX 506 config:

PIX Version 6.3(4)                  
interface ethernet0 auto                        
interface ethernet1 100full                          
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                                                  
hostname PIX506                    
domain-name acme              
fixup protocol dns maximum-length                                  
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
access-list out permit icmp any any echo                                        
access-list out permit icmp any any echo-reply                                              
access-list out permit tcp any host 72.xx.xxx.xx eq 5900                                                        
access-list out permit tcp any host 72.xx.xxx.xx eq 3389                                                        
access-list out permit tcp any host 72.xx.xxx.xx eq www                                                      
access-list nonat permit ip                                                                          
access-list nonat permit ip
access-list nonat permit ip
access-list 101 permit ip                                                                            
access-list 101 permit ip                                                                        
access-list 80 permit ip host 72.xx.xxx.xx                                                                    
pager lines 24              
mtu outside 1500                
mtu inside 1500              
ip address outside 72.xx.xxx.xx                                            
ip address inside                                          
ip audit info action alarm                          
ip audit attack action alarm                            
ip local pool vpnpool                                                  
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 0 access-list nonat                                
nat (inside) 1 0 0                                  
static (inside,outside) tcp 72.xx.xxx.xx www www netmask 255.255.255                                                                                
.255 0 0        
static (inside,outside) tcp 72.xx.xxx.xx 3389 3389 netmask 0 0          
static (inside,outside) tcp 72.xx.xxx.xx 5900 5900 netmask 0 0          
access-group out in interface outside                                    
route outside 72.xx.xxx.x 1                                          
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ deadtime 10                              
aaa-server RADIUS protocol rad                            
aaa-server RADIUS max-failed-attempts 3                                      
aaa-server RADIUS deadtime 10                            
aaa-server LOCAL protocol local                              
no snmp-server location                      
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
crypto ipsec transform-set vpnclient esp-des esp-md5-hmac                                                        
crypto ipsec transform-set pixtopix esp-des esp-md5-hmac                                                        
crypto dynamic-map dynmap 30 set transform-set vpnclient                                                        
crypto map vpnmap 1 ipsec-isakmp                                
crypto map vpnmap 1 match address 101                                    
crypto map vpnmap 1 s                    
crypto map vpnmap 1 set transform-set pixtopix                                              
crypto map vpnmap 30 ipsec-isakmp dynamic dynmap                                                
crypto map vpnmap interface outside                                  
isakmp enable outside                    
isakmp key ******** address 69.xxx.xxx.xx netmask                                                                
isakmp identity address                      
isakmp policy 1 authentication pre-share                                        
isakmp policy 1 encryption des                              
isakmp policy 1 hash md5                        
isakmp policy 1 group 1                      
isakmp policy 1 lifetime 86400                              
isakmp policy 30 authentication pre-share                                        
isakmp policy 30 encryption des                              
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup acme address-pool vpnpool
vpngroup acme split-tunnel nonat
vpngroup acme idle-time 86400
vpngroup acme password ********
telnet inside
telnet timeout 5
ssh 72.xx.xxx.xx outside
ssh timeout 5
management-access inside
console timeout 0
dhcpd address inside
dhcpd dns 4.x.x.x 4.x.x.x
dhcpd wins
dhcpd lease 691200
dhcpd ping_timeout 750
dhcpd option 150 ip
dhcpd enable inside
terminal width 80
: end
>From the PIX 515 at the main office I cannot telnet into
    That's because you're only "allowing" telnet from the 192.168.9.x subnet with the below config line:
>telnet inside

  Add this to your PIX 506 config:
telnet inside


Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now