Can't telnet into PIX across subnets

Posted on 2006-05-07
Last Modified: 2013-11-16
I am trying to access a PIX 506e across subnets and I am unable to directly telnet into it at  If I VNC into a workstation at on the other subnet I can then telnet into the PIX.  There is a site to site VPN between the two PIX devices.  I can ping everything on the other subnet from a server on the main 192.168.0.x subnet.

Main office:
PIX 515e /24

Branch office:
PIX 506e /24

I added the following to the PIX 515e:
access-list nonat permit ip

I also have an access list set up for the VPN as follows:
access-list 109 permit ip

I'm not sure what is stopping the ability to telnet directly into from a server at

I added the following to the PIX 506e but it didn't seem to work:
telnet inside

Thanks for your help!
Question by:jplagens
    LVL 20

    Accepted Solution

    If the target PIX is running 6.3 series (command not supported in 6.2 or earlier), add this to the config:
      management-access inside

    LVL 79

    Expert Comment

    >I'm not sure what is stopping the ability to telnet directly into from a server at
    It is purely in the design of the PIX. It was designed to restrict all access to the inside interface from outside.
    As calvinetter mentioned, there is one workaround to use the "management-access inside" command. This will make the inside interface available to external users, but only with VPN tunnel.
    Personally, I never use Telnet to a PIX. I much prefer using the secure PDM GUI, or SSH to the public IP and just restrict access to http/ssh to the public ip of the other side pix.
    LVL 4

    Author Comment

    The PIX 515e is running 6.3(4)
    The PIX 506e is running 6.3(4)

    I added  management-access inside on both PIX's.  

    From the PIX 506 at the remote office I can telnet into  From the PIX 515 at the main office I cannot telnet into

    This is the PIX 506 config:

    PIX Version 6.3(4)                  
    interface ethernet0 auto                        
    interface ethernet1 100full                          
    nameif ethernet0 outside security0                                  
    nameif ethernet1 inside security100                                                                  
    hostname PIX506                    
    domain-name acme              
    fixup protocol dns maximum-length                                  
    fixup protocol ftp 21                    
    fixup protocol h323 h225 1720                            
    fixup protocol h323 ras 1718-1719                                
    fixup protocol http 80                      
    fixup protocol rsh 514                      
    fixup protocol rtsp 554                      
    fixup protocol sip 5060                      
    fixup protocol sip udp 5060                          
    fixup protocol skinny 2000                          
    fixup protocol smtp 25                      
    fixup protocol sqlnet 1521                          
    fixup protocol tftp 69                      
    access-list out permit icmp any any echo                                        
    access-list out permit icmp any any echo-reply                                              
    access-list out permit tcp any host eq 5900                                                        
    access-list out permit tcp any host eq 3389                                                        
    access-list out permit tcp any host eq www                                                      
    access-list nonat permit ip                                                                          
    access-list nonat permit ip
    access-list nonat permit ip
    access-list 101 permit ip                                                                            
    access-list 101 permit ip                                                                        
    access-list 80 permit ip host                                                                    
    pager lines 24              
    mtu outside 1500                
    mtu inside 1500              
    ip address outside                                            
    ip address inside                                          
    ip audit info action alarm                          
    ip audit attack action alarm                            
    ip local pool vpnpool                                                  
    pdm history enable                  
    arp timeout 14400                
    global (outside) 1 interface                            
    nat (inside) 0 access-list nonat                                
    nat (inside) 1 0 0                                  
    static (inside,outside) tcp www www netmask 255.255.255                                                                                
    .255 0 0        
    static (inside,outside) tcp 3389 3389 netmask 0 0          
    static (inside,outside) tcp 5900 5900 netmask 0 0          
    access-group out in interface outside                                    
    route outside 1                                          
    timeout xlate 3:00:00                    
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
    timeout uauth 0:05:00 absolute                              
    aaa-server TACACS+ protocol tacacs+                                  
    aaa-server TACACS+ max-failed-attempts 3                                        
    aaa-server TACACS+ deadtime 10                              
    aaa-server RADIUS protocol rad                            
    aaa-server RADIUS max-failed-attempts 3                                      
    aaa-server RADIUS deadtime 10                            
    aaa-server LOCAL protocol local                              
    no snmp-server location                      
    no snmp-server contact                      
    snmp-server community public                            
    no snmp-server enable traps                          
    floodguard enable                
    sysopt connection permit-ipsec                              
    crypto ipsec transform-set vpnclient esp-des esp-md5-hmac                                                        
    crypto ipsec transform-set pixtopix esp-des esp-md5-hmac                                                        
    crypto dynamic-map dynmap 30 set transform-set vpnclient                                                        
    crypto map vpnmap 1 ipsec-isakmp                                
    crypto map vpnmap 1 match address 101                                    
    crypto map vpnmap 1 s                    
    crypto map vpnmap 1 set transform-set pixtopix                                              
    crypto map vpnmap 30 ipsec-isakmp dynamic dynmap                                                
    crypto map vpnmap interface outside                                  
    isakmp enable outside                    
    isakmp key ******** address netmask                                                                
    isakmp identity address                      
    isakmp policy 1 authentication pre-share                                        
    isakmp policy 1 encryption des                              
    isakmp policy 1 hash md5                        
    isakmp policy 1 group 1                      
    isakmp policy 1 lifetime 86400                              
    isakmp policy 30 authentication pre-share                                        
    isakmp policy 30 encryption des                              
    isakmp policy 30 hash md5
    isakmp policy 30 group 2
    isakmp policy 30 lifetime 86400
    vpngroup acme address-pool vpnpool
    vpngroup acme split-tunnel nonat
    vpngroup acme idle-time 86400
    vpngroup acme password ********
    telnet inside
    telnet timeout 5
    ssh outside
    ssh timeout 5
    management-access inside
    console timeout 0
    dhcpd address inside
    dhcpd dns 4.x.x.x 4.x.x.x
    dhcpd wins
    dhcpd lease 691200
    dhcpd ping_timeout 750
    dhcpd option 150 ip
    dhcpd enable inside
    terminal width 80
    : end
    LVL 20

    Expert Comment

    >From the PIX 515 at the main office I cannot telnet into
        That's because you're only "allowing" telnet from the 192.168.9.x subnet with the below config line:
    >telnet inside

      Add this to your PIX 506 config:
    telnet inside


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now