jplagens
asked on
Can't telnet into PIX across subnets
I am trying to access a PIX 506e across subnets and I am unable to directly telnet into it at 192.168.9.1. If I VNC into a workstation at 192.168.9.100 on the other subnet I can then telnet into the PIX. There is a site to site VPN between the two PIX devices. I can ping everything on the other subnet from a server on the main 192.168.0.x subnet.
Main office:
PIX 515e 192.168.0.1 /24
Branch office:
PIX 506e 192.168.9.1 /24
I added the following to the PIX 515e:
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.9.0 255.255.255.0
I also have an access list set up for the VPN as follows:
access-list 109 permit ip 192.168.0.0 255.255.255.0 192.168.9.0 255.255.255.0
I'm not sure what is stopping the ability to telnet directly into 192.168.9.1 from a server at 192.168.0.68?
I added the following to the PIX 506e but it didn't seem to work:
telnet 192.168.0.0 255.255.255.0 inside
Thanks for your help!
Main office:
PIX 515e 192.168.0.1 /24
Branch office:
PIX 506e 192.168.9.1 /24
I added the following to the PIX 515e:
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.9.0 255.255.255.0
I also have an access list set up for the VPN as follows:
access-list 109 permit ip 192.168.0.0 255.255.255.0 192.168.9.0 255.255.255.0
I'm not sure what is stopping the ability to telnet directly into 192.168.9.1 from a server at 192.168.0.68?
I added the following to the PIX 506e but it didn't seem to work:
telnet 192.168.0.0 255.255.255.0 inside
Thanks for your help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The PIX 515e is running 6.3(4)
The PIX 506e is running 6.3(4)
I added management-access inside on both PIX's.
From the PIX 506 at the remote office I can telnet into 192.168.0.1. From the PIX 515 at the main office I cannot telnet into 192.168.9.1.
This is the PIX 506 config:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname PIX506
domain-name acme
fixup protocol dns maximum-length
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list out permit icmp any any echo
access-list out permit icmp any any echo-reply
access-list out permit tcp any host 72.xx.xxx.xx eq 5900
access-list out permit tcp any host 72.xx.xxx.xx eq 3389
access-list out permit tcp any host 72.xx.xxx.xx eq www
access-list nonat permit ip 192.168.9.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list nonat permit ip 192.168.9.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 192.168.9.0 255.255.255.0 192.168.126.0 255.255.255.0
access-list 101 permit ip 192.168.9.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 101 permit ip 192.168.9.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 80 permit ip host 72.xx.xxx.xx 192.168.126.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 72.xx.xxx.xx 255.255.255.0
ip address inside 192.168.9.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.126.1-192.168.126. 10
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 72.xx.xxx.xx www 192.168.9.3 www netmask 255.255.255
.255 0 0
static (inside,outside) tcp 72.xx.xxx.xx 3389 192.168.9.3 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 72.xx.xxx.xx 5900 192.168.9.3 5900 netmask 255.255.255.255 0 0
access-group out in interface outside
route outside 0.0.0.0 0.0.0.0 72.xx.xxx.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol rad
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpnclient esp-des esp-md5-hmac
crypto ipsec transform-set pixtopix esp-des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set vpnclient
crypto map vpnmap 1 ipsec-isakmp
crypto map vpnmap 1 match address 101
crypto map vpnmap 1 s
crypto map vpnmap 1 set transform-set pixtopix
crypto map vpnmap 30 ipsec-isakmp dynamic dynmap
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address 69.xxx.xxx.xx netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup acme address-pool vpnpool
vpngroup acme split-tunnel nonat
vpngroup acme idle-time 86400
vpngroup acme password ********
telnet 192.168.9.0 255.255.255.0 inside
telnet timeout 5
ssh 72.xx.xxx.xx 255.255.255.255 outside
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 192.168.9.2-192.168.9.20 inside
dhcpd dns 4.x.x.x 4.x.x.x
dhcpd wins 192.168.0.68
dhcpd lease 691200
dhcpd ping_timeout 750
dhcpd option 150 ip 10.1.1.1
dhcpd enable inside
terminal width 80
Cryptochecksum:b093a68ffd1 ea8781120b b3e2d218f9 1
: end
The PIX 506e is running 6.3(4)
I added management-access inside on both PIX's.
From the PIX 506 at the remote office I can telnet into 192.168.0.1. From the PIX 515 at the main office I cannot telnet into 192.168.9.1.
This is the PIX 506 config:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname PIX506
domain-name acme
fixup protocol dns maximum-length
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list out permit icmp any any echo
access-list out permit icmp any any echo-reply
access-list out permit tcp any host 72.xx.xxx.xx eq 5900
access-list out permit tcp any host 72.xx.xxx.xx eq 3389
access-list out permit tcp any host 72.xx.xxx.xx eq www
access-list nonat permit ip 192.168.9.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list nonat permit ip 192.168.9.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 192.168.9.0 255.255.255.0 192.168.126.0 255.255.255.0
access-list 101 permit ip 192.168.9.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 101 permit ip 192.168.9.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 80 permit ip host 72.xx.xxx.xx 192.168.126.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 72.xx.xxx.xx 255.255.255.0
ip address inside 192.168.9.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.126.1-192.168.126.
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 72.xx.xxx.xx www 192.168.9.3 www netmask 255.255.255
.255 0 0
static (inside,outside) tcp 72.xx.xxx.xx 3389 192.168.9.3 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 72.xx.xxx.xx 5900 192.168.9.3 5900 netmask 255.255.255.255 0 0
access-group out in interface outside
route outside 0.0.0.0 0.0.0.0 72.xx.xxx.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol rad
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpnclient esp-des esp-md5-hmac
crypto ipsec transform-set pixtopix esp-des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set vpnclient
crypto map vpnmap 1 ipsec-isakmp
crypto map vpnmap 1 match address 101
crypto map vpnmap 1 s
crypto map vpnmap 1 set transform-set pixtopix
crypto map vpnmap 30 ipsec-isakmp dynamic dynmap
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address 69.xxx.xxx.xx netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup acme address-pool vpnpool
vpngroup acme split-tunnel nonat
vpngroup acme idle-time 86400
vpngroup acme password ********
telnet 192.168.9.0 255.255.255.0 inside
telnet timeout 5
ssh 72.xx.xxx.xx 255.255.255.255 outside
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 192.168.9.2-192.168.9.20 inside
dhcpd dns 4.x.x.x 4.x.x.x
dhcpd wins 192.168.0.68
dhcpd lease 691200
dhcpd ping_timeout 750
dhcpd option 150 ip 10.1.1.1
dhcpd enable inside
terminal width 80
Cryptochecksum:b093a68ffd1
: end
>From the PIX 515 at the main office I cannot telnet into 192.168.9.1.
That's because you're only "allowing" telnet from the 192.168.9.x subnet with the below config line:
>telnet 192.168.9.0 255.255.255.0 inside
Add this to your PIX 506 config:
telnet 192.168.0.0 255.255.255.0 inside
cheers
That's because you're only "allowing" telnet from the 192.168.9.x subnet with the below config line:
>telnet 192.168.9.0 255.255.255.0 inside
Add this to your PIX 506 config:
telnet 192.168.0.0 255.255.255.0 inside
cheers
It is purely in the design of the PIX. It was designed to restrict all access to the inside interface from outside.
As calvinetter mentioned, there is one workaround to use the "management-access inside" command. This will make the inside interface available to external users, but only with VPN tunnel.
Personally, I never use Telnet to a PIX. I much prefer using the secure PDM GUI, or SSH to the public IP and just restrict access to http/ssh to the public ip of the other side pix.