You cannot telnet to the inside address from the outside even over a VPN AFAIK. Just use SSH to the outside if you have RADIUS or TACACS. Otherwise you'll have to SSH or Telnet to a host on the inside of the PIX and then Telnet back in. So, if you have a router or switch on the inside of the network just go to it first and then back to the inside interface of the PIX.
John Kaberna CCIE #7146 www.netcginc.com (415) 750-3800 Instructor for 5-day CCIE class for ccbootcamp.com __________________ CCIE Security Training www.netcginc.com/training.htm ""Dante Martins"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > How can I telnet to PIX inside interface from the VPN (I.E. from > 10.128.128.0 telnet 172.16.3.252). > > I have tried using telnet command: > "telnet 10.128.128.0 255.255.255.0 inside" but still no working. > > Can you help me? > > Dante > > > > > CONF MAIN PIX > PIX Version 6.0(1) > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > nameif ethernet2 DMZ1 security10 > nameif ethernet3 intf3 security15 > nameif ethernet4 intf4 security20 > nameif ethernet5 intf5 security25 > enable password *********** encrypted > passwd ********** encrypted > hostname MAIN > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 1720 > fixup protocol rsh 514 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol sip 5060 > fixup protocol skinny 2000 > names > access-list 101 permit ip 10.128.128.0 255.255.224.0 172.16.3.0 > 255.255.255.0 > access-list 102 permit ip 10.128.128.0 255.255.224.0 192.168.3.0 > 255.255.255.0 > access-list 103 permit ip 10.128.128.0 255.255.224.0 10.250.1.0 > 255.255.255.0 > access-list 103 permit ip 10.128.128.0 255.255.224.0 10.249.0.0 > 255.255.240.0 > access-list 104 permit ip 10.128.128.0 255.255.224.0 10.250.11.0 > 255.255.255.0 > access-list 105 permit ip 10.128.128.0 255.255.224.0 10.250.95.0 > 255.255.255.0 > pager lines 24 > logging on > interface ethernet0 auto > interface ethernet1 auto > interface ethernet2 auto > interface ethernet3 auto > interface ethernet4 auto shutdown > interface ethernet5 auto shutdown > mtu outside 1500 > mtu inside 1500 > mtu DMZ1 1500 > mtu intf3 1500 > mtu intf4 1500 > mtu intf5 1500 > ip address outside 200.219.100.2 255.255.255.0 > ip address inside 10.128.159.253 255.255.224.0 > ip address DMZ1 10.255.255.254 255.255.224.0 > ip address intf3 10.250.11.254 255.255.255.0 > ip address intf4 127.0.0.1 255.255.255.255 > ip address intf5 127.0.0.1 255.255.255.255 > ip audit info action alarm > ip audit attack action alarm > no failover > failover timeout 0:00:00 > failover poll 15 > failover ip address outside 0.0.0.0 > failover ip address inside 0.0.0.0 > failover ip address DMZ1 0.0.0.0 > failover ip address intf3 0.0.0.0 > failover ip address intf4 0.0.0.0 > failover ip address intf5 0.0.0.0 > pdm history enable > arp timeout 14400 > global (outside) 1 200.219.100.100-200.219.100.199 > global (outside) 1 200.219.100.200 > global (DMZ1) 1 10.255.224.10-10.255.224.70 > nat (inside) 1 0.0.0.0 0.0.0.0 0 0 > nat (DMZ1) 1 0.0.0.0 0.0.0.0 0 0 > alias (inside) 200.219.100.26 10.255.224.3 255.255.255.255 > alias (inside) 200.219.100.30 10.128.128.30 255.255.255.255 > alias (inside) 200.219.100.31 10.255.224.9 255.255.255.255 > alias (inside) 200.219.100.54 10.255.224.4 255.255.255.255 > > static (inside,outside) 200.219.100.26 10.128.128.26 netmask > 255.255.255.255 0 0 > static (inside,outside) 200.219.100.30 10.128.128.30 netmask > 255.255.255.255 0 0 > static (inside,outside) 200.219.100.31 10.128.128.32 netmask > 255.255.255.255 0 0 > static (inside,outside) 200.219.100.54 10.128.128.54 netmask > 255.255.255.255 0 0 > > conduit permit icmp any any > conduit permit tcp host 200.219.100.30 eq www any > conduit permit tcp host 200.219.100.30 eq domain any > conduit permit udp host 200.219.100.30 eq domain any > conduit permit tcp host 200.219.100.31 eq www any > conduit permit tcp host 200.219.100.31 eq domain any > conduit permit udp host 200.219.100.31 eq domain any > conduit permit tcp host 200.219.100.26 eq 161 any > conduit permit tcp host 200.219.100.26 eq 162 any > conduit permit udp host 200.219.100.26 eq snmp any > conduit permit udp host 200.219.100.26 eq snmptrap any > conduit permit tcp host 200.219.100.54 eq domain any > conduit permit udp host 200.219.100.54 eq domain any > conduit permit tcp host 200.219.100.54 eq 22 any > > route outside 0.0.0.0 0.0.0.0 200.219.100.1 1 > route outside 10.0.64.0 255.255.224.0 10.128.159.252 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 > 0:05:00 sip 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server RADIUS protocol radius > snmp-server host inside 10.128.128.21 > snmp-server location mainsite > snmp-server contact support@mainsite > snmp-server community pixpix > snmp-server enable traps > floodguard enable > sysopt connection permit-ipsec > sysopt ipsec pl-compatible > no sysopt route dnat > > crypto ipsec transform-set strong esp-des esp-sha-hmac > crypto map cmap 1 ipsec-isakmp > crypto map cmap 1 match address 101 > crypto map cmap 1 set peer 200.200.100.2 > crypto map cmap 1 set transform-set strong > crypto map cmap 2 ipsec-isakmp > crypto map cmap 2 match address 102 > crypto map cmap 2 set peer 200.200.111.2 > crypto map cmap 2 set transform-set strong > crypto map cmap 3 ipsec-isakmp > crypto map cmap 3 match address 103 > crypto map cmap 3 set peer 200.200.222.2 > crypto map cmap 3 set transform-set strong > crypto map cmap 4 ipsec-isakmp > crypto map cmap 4 match address 104 > crypto map cmap 4 set peer 200.202.202.2 > crypto map cmap 4 set transform-set strong > crypto map cmap 5 ipsec-isakmp > crypto map cmap 5 match address 105 > crypto map cmap 5 set peer 205.205.205.2 > crypto map cmap 5 set transform-set strong > crypto map cmap interface outside > isakmp enable outside > isakmp key ******** address 200.200.100.2 netmask 255.255.255.255 > isakmp key ******** address 200.219.100.4 netmask 255.255.255.255 > isakmp key ******** address 200.200.111.2 netmask 255.255.255.255 > isakmp key ******** address 200.200.222.2 netmask 255.255.255.255 > isakmp key ******** address 200.202.202.2 netmask 255.255.255.255 > isakmp key ******** address 205.205.205.2 netmask 255.255.255.255 > isakmp policy 10 authentication pre-share > isakmp policy 10 encryption des > isakmp policy 10 hash sha > isakmp policy 10 group 1 > isakmp policy 10 lifetime 3600 > telnet 10.128.128.0 255.255.224.0 inside > telnet 10.128.128.0 255.255.224.0 DMZ1 > telnet timeout 5 > ssh timeout 5 > > > > > > > CONF of office1 PIX: > > PIX Version 6.1(1) > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > enable password ************** encrypted > passwd *********** encrypted > hostname office1 > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 1720 > fixup protocol rsh 514 > fixup protocol rtsp 554 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol sip 5060 > fixup protocol skinny 2000 > names > access-list 101 permit ip 172.16.0.0 255.255.0.0 192.168.3.0 > 255.255.255.0 > access-list 102 permit ip 172.16.0.0 255.255.0.0 10.128.128.0 > 255.255.224.0 > pager lines 24 > logging on > interface ethernet0 auto > interface ethernet1 auto > mtu outside 1500 > mtu inside 1500 > ip address outside 200.200.100.2 255.255.255.240 > ip address inside 172.16.3.252 255.255.255.0 > ip audit info action alarm > ip audit attack action alarm > pdm history enable > arp timeout 14400 > global (outside) 1 200.200.100.3-200.200.100.10 > global (outside) 1 200.200.100.11 > nat (inside) 1 172.16.0.0 255.255.0.0 0 0 > static (inside,outside) 200.200.100.12 172.16.3.25 netmask > 255.255.255.255 0 > 0 > conduit permit gre any any > conduit permit icmp any any > conduit permit udp host 211.211.211.251 eq domain any > conduit permit tcp host 211.211.211.251 eq domain any > conduit permit tcp host 211.211.211.251 eq smtp any > conduit permit udp host 211.211.211.251 eq 25 any > conduit permit tcp host 200.200.100.12 eq domain any > conduit permit udp host 200.200.100.12 eq domain any > conduit permit tcp host 200.200.100.12 eq smtp any > conduit permit udp host 200.219.100.26 eq snmp any > conduit permit udp host 200.219.100.26 eq snmptrap any > route outside 0.0.0.0 0.0.0.0 200.200.100.1 1 > route inside 172.16.15.0 255.255.255.0 172.16.3.254 1 > route inside 172.17.0.0 255.255.0.0 172.16.3.254 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 > 0:05:00 sip 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server RADIUS protocol radius > snmp-server host outside 200.219.100.26 > snmp-server location "Office1" > snmp-server contact support@office1 > snmp-server community pixpix > snmp-server enable traps > floodguard enable > sysopt connection permit-ipsec > sysopt ipsec pl-compatible > no sysopt route dnat > crypto ipsec transform-set strong esp-des esp-sha-hmac > crypto map cmap 10 ipsec-isakmp > crypto map cmap 10 match address 101 > crypto map cmap 10 set peer 200.200.111.2 > crypto map cmap 10 set transform-set strong > crypto map cmap 20 ipsec-isakmp > crypto map cmap 20 match address 102 > crypto map cmap 20 set peer 200.219.100.2 > crypto map cmap interface outside > isakmp enable outside > isakmp key ******** address 200.200.111.2 netmask 255.255.255.255 > isakmp key ******** address 200.219.100.2 netmask 255.255.255.255 > isakmp key ******** address 200.200.100.2 netmask 255.255.255.255 > isakmp identity address > isakmp policy 10 authentication pre-share > isakmp policy 10 encryption des > isakmp policy 10 hash sha > isakmp policy 10 group 1 > isakmp policy 10 lifetime 3600 > telnet 172.16.3.0 255.255.255.0 inside > telnet timeout 5 > ssh timeout 5 > terminal width 80 > > ________________________________________________________________________ > This email has been scanned for all viruses by the MessageLabs service. > ________________________________________________________________________ > This email has been scanned for all viruses by the MessageLabs service. > > ________________________________________________________________________ > This email has been scanned for all viruses by the MessageLabs service. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33627&t=33589 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]