Brian, Can you please clarify the statement you made below. I understood that anything less than SSH v2.0 should not be used. With the recent issues with ssh, it may be a sitting target.
re: Cisco currently has no plans for v2.0 or later (it offers no advantage for Telnet access)" -Tony -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brian Ford Sent: Thursday, November 08, 2001 8:42 AM To: Harry Whitehouse Cc: [EMAIL PROTECTED] Subject: Re: Configuring PIX via TCP/IP Connection? Harry, Ahh, serial connectivity. Do you have a 2509 or a 2511 access server with an octopus cable? You can Telnet to the access server and then gain console access via serial cable to a locally attached device (PIX, router, switch, etc...). You have a number of options for configuring the PIX over the (TCP/IP) network. All assume that the PIX can be configured in advance. As Jay pointed out you can configure Telnet to the PIX. Permitting Telnet access to the PIX is only allowed from the inside interface. Any sessions that attempt to initiate from the outside interface must be IPsec. If they are not IPsec, they are rejected (they can be configured but just don't work, ugh). You can define a range of addresses from the inside network from which Telnet is allowed. That is configurable with a net mask so you can narrow it to a range or an individual IP address. You can configure the PIX to accept a Telnet session over the outside (actually any) interface using IPsec. You have a range of control over the IP addresses that will be accepted from. I'd suggest using a different IPsec configuration for remote management as opposed to site to site connectivity (pre-shared and DES is good). You can configure SSH (Telnet) access to the PIX. The PIX supports SSH v1.5 implementations. Cisco currently has no plans for v2.0 or later (it offers no advantage for Telnet access). PIX Device Manager (PDM) GUI uses SSL when connecting to the PIX. PDM is a v6.0 add-on (a separate file from the PIX OS). You can use this from the inside or the outside interface. The IPsec session is still a requirement for outside access. I use PDM to manage a number of PIXen. I created a web page on my management station that allows me to browse to any one of the PIX. Be careful though, I have found that some PCs cannot handle running multiple SSL sessions well (more memory?). In order to log Telnet management access to the PIX you'll probably want to configure Syslog for either notifications (Syslog level 5) or informational (Syslog level 6) or better. In v5.3 you have Telnet, SSH and IPsec options. In v6.0 (and later) the PIX OS implemented the "setup" feature. If the PIX starts and finds no configuration it will ask the console if the admin wants to run through a setup dialogue. The setup dialogue works in conjunction with PDM, and sets the PIX up to allow PDM access from the inside. In v6.1 the PIX 501 does come with "plug and play" configuration. That pre-configures the PIX to expect a DHCP server on the outside interface (PIX DHCP client) and act as a DHCP server to a pool of 256 inside IP addresses. You can order that same configuration on any new PIX but it is standard on the 501. Liberty for All, Brian At 09:08 PM 11/7/2001 -0800, "Harry Whitehouse" <[EMAIL PROTECTED]> wrote: >From: "Harry Whitehouse" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Subject: Configuring PIX via TCP/IP Connection? >Date: Thu, 1 Nov 2001 12:52:09 -0800 > >Hello All! > >I've pretty much got the PIX configuration process down using a serial >cable, but in reading the manual it seems to suggest that I could issue the >same configuration commands via an internet or intranet connection. Now >that I have several PIX's and only one serial cable, I'm looking for some >alternatives <g>. > >So, can one really configure via TCP/IP? If so, how do I go about it? Does >one use Telenet? Do you work from the inside or outside of the PIX (network >wise). What address/port do you connect to? > >I'm running 5.3 OS on my boxes. I've heard that 6.0 might have a better >configuration interface. Can anyone confirm that? > >TIA > >Harry _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
