Re: Telnet on PIX outside interface [7:20271]

Tue, 18 Sep 2001 08:57:28 -0700 

Secure only in the sense that you can limit source IP's (which can possibly
be circumvented) and that the session is encrypted so it is more difficult
to sniff the password.  However, this would possibly allow someone on the
internet to gain access to the firewall and set up thier own rules to allow
access to your inside network or take it completely down by wiping the
config and changing the password on you.  Just be weary of doing anything
that allows people potential access to the hardware protecting it.  Static
commands can be set up to limit connections to inside hosts, but just
imagine someone doing a DOS involving several thousand attempted telnet/ssh
connections when that port is open....  You can't limit those on the outside
interface since it is not controlled by a static statement.

Personally I prefer setting up an IPSec tunnel to the inside and then
telnetting to the inside interface with SSH.  One step below that would be
some kind of RAS to the inside.  That at least adds an additional step the
would-be hackers would have to navigate through with username/passwords in
order to change access to the network from the outside.

----- Original Message -----
From: "Burnham, Chris" 
To: 
Sent: Tuesday, September 18, 2001 10:30 AM
Subject: RE: Telnet on PIX outside interface [7:20271]


> Why don't you set up ssh. This can be done to the outside interface and is
> secure...
>
>
> -----Original Message-----
> From: MADMAN [mailto:[EMAIL PROTECTED]]
> Sent: 18 September 2001 16:09
> To: [EMAIL PROTECTED]
> Subject: Re: Telnet on PIX outside interface [7:20271]
>
>
> If what you trying to do is telnet to the PIX outside interface, no
> can do.
>
>   dave
>
> NRB wrote:
> >
> > Guys/Gurus,
> >
> > Can  anyone please help me in setting up Telnet  access on outside
> interface
> > of PIX.
> > I heard that we need to uses IPSec and Cisco VPN  client.  I do not have
> VPN
> > client,
> > can it  still be done. Please help.
> >
> > Thanks,
> > NRB
> --
> David Madland
> Sr. Network Engineer
> CCIE# 2016
> Qwest Communications Int. Inc.
> [EMAIL PROTECTED]
> 612-664-3367
>
> "Emotion should reflect reason not guide it"




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=20292&t=20271
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to