• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 813
  • Last Modified:

Can't telnet into PIX across subnets

I am trying to access a PIX 506e across subnets and I am unable to directly telnet into it at 192.168.9.1.  If I VNC into a workstation at 192.168.9.100 on the other subnet I can then telnet into the PIX.  There is a site to site VPN between the two PIX devices.  I can ping everything on the other subnet from a server on the main 192.168.0.x subnet.

Main office:
PIX 515e 192.168.0.1 /24

Branch office:
PIX 506e 192.168.9.1 /24

I added the following to the PIX 515e:
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.9.0 255.255.255.0

I also have an access list set up for the VPN as follows:
access-list 109 permit ip 192.168.0.0 255.255.255.0 192.168.9.0 255.255.255.0

I'm not sure what is stopping the ability to telnet directly into 192.168.9.1 from a server at 192.168.0.68?

I added the following to the PIX 506e but it didn't seem to work:
telnet 192.168.0.0 255.255.255.0 inside

Thanks for your help!
0
jplagens
Asked:
jplagens
  • 2
1 Solution
 
calvinetterCommented:
If the target PIX is running 6.3 series (command not supported in 6.2 or earlier), add this to the config:
  management-access inside

cheers
0
 
lrmooreCommented:
>I'm not sure what is stopping the ability to telnet directly into 192.168.9.1 from a server at 192.168.0.68?
It is purely in the design of the PIX. It was designed to restrict all access to the inside interface from outside.
As calvinetter mentioned, there is one workaround to use the "management-access inside" command. This will make the inside interface available to external users, but only with VPN tunnel.
Personally, I never use Telnet to a PIX. I much prefer using the secure PDM GUI, or SSH to the public IP and just restrict access to http/ssh to the public ip of the other side pix.
0
 
jplagensAuthor Commented:
The PIX 515e is running 6.3(4)
The PIX 506e is running 6.3(4)

I added  management-access inside on both PIX's.  

From the PIX 506 at the remote office I can telnet into 192.168.0.1.  From the PIX 515 at the main office I cannot telnet into 192.168.9.1.

This is the PIX 506 config:

PIX Version 6.3(4)                  
interface ethernet0 auto                        
interface ethernet1 100full                          
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                                                  
hostname PIX506                    
domain-name acme              
fixup protocol dns maximum-length                                  
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names    
access-list out permit icmp any any echo                                        
access-list out permit icmp any any echo-reply                                              
access-list out permit tcp any host 72.xx.xxx.xx eq 5900                                                        
access-list out permit tcp any host 72.xx.xxx.xx eq 3389                                                        
access-list out permit tcp any host 72.xx.xxx.xx eq www                                                      
access-list nonat permit ip 192.168.9.0 255.255.255.0 10.1.0.0 255.255.0.0                                                                          
access-list nonat permit ip 192.168.9.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 192.168.9.0 255.255.255.0 192.168.126.0 255.255.255.0
access-list 101 permit ip 192.168.9.0 255.255.255.0 192.168.0.0 255.255.255.0                                                                            
access-list 101 permit ip 192.168.9.0 255.255.255.0 10.1.0.0 255.255.0.0                                                                        
access-list 80 permit ip host 72.xx.xxx.xx 192.168.126.0 255.255.255.0                                                                    
pager lines 24              
mtu outside 1500                
mtu inside 1500              
ip address outside 72.xx.xxx.xx 255.255.255.0                                            
ip address inside 192.168.9.1 255.255.255.0                                          
ip audit info action alarm                          
ip audit attack action alarm                            
ip local pool vpnpool 192.168.126.1-192.168.126.10                                                  
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 0 access-list nonat                                
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  
static (inside,outside) tcp 72.xx.xxx.xx www 192.168.9.3 www netmask 255.255.255                                                                                
.255 0 0        
static (inside,outside) tcp 72.xx.xxx.xx 3389 192.168.9.3 3389 netmask 255.255.255.255 0 0          
static (inside,outside) tcp 72.xx.xxx.xx 5900 192.168.9.3 5900 netmask 255.255.255.255 0 0          
access-group out in interface outside                                    
route outside 0.0.0.0 0.0.0.0 72.xx.xxx.x 1                                          
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ deadtime 10                              
aaa-server RADIUS protocol rad                            
aaa-server RADIUS max-failed-attempts 3                                      
aaa-server RADIUS deadtime 10                            
aaa-server LOCAL protocol local                              
no snmp-server location                      
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
crypto ipsec transform-set vpnclient esp-des esp-md5-hmac                                                        
crypto ipsec transform-set pixtopix esp-des esp-md5-hmac                                                        
crypto dynamic-map dynmap 30 set transform-set vpnclient                                                        
crypto map vpnmap 1 ipsec-isakmp                                
crypto map vpnmap 1 match address 101                                    
crypto map vpnmap 1 s                    
crypto map vpnmap 1 set transform-set pixtopix                                              
crypto map vpnmap 30 ipsec-isakmp dynamic dynmap                                                
crypto map vpnmap interface outside                                  
isakmp enable outside                    
isakmp key ******** address 69.xxx.xxx.xx netmask 255.255.255.255                                                                
isakmp identity address                      
isakmp policy 1 authentication pre-share                                        
isakmp policy 1 encryption des                              
isakmp policy 1 hash md5                        
isakmp policy 1 group 1                      
isakmp policy 1 lifetime 86400                              
isakmp policy 30 authentication pre-share                                        
isakmp policy 30 encryption des                              
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup acme address-pool vpnpool
vpngroup acme split-tunnel nonat
vpngroup acme idle-time 86400
vpngroup acme password ********
telnet 192.168.9.0 255.255.255.0 inside
telnet timeout 5
ssh 72.xx.xxx.xx 255.255.255.255 outside
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 192.168.9.2-192.168.9.20 inside
dhcpd dns 4.x.x.x 4.x.x.x
dhcpd wins 192.168.0.68
dhcpd lease 691200
dhcpd ping_timeout 750
dhcpd option 150 ip 10.1.1.1
dhcpd enable inside
terminal width 80
Cryptochecksum:b093a68ffd1ea8781120bb3e2d218f91
: end
0
 
calvinetterCommented:
>From the PIX 515 at the main office I cannot telnet into 192.168.9.1.
    That's because you're only "allowing" telnet from the 192.168.9.x subnet with the below config line:
>telnet 192.168.9.0 255.255.255.0 inside

  Add this to your PIX 506 config:
telnet 192.168.0.0 255.255.255.0 inside

cheers
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now