Re: Telnet on PIX outside interface [7:20271]
Hi, If your inside servers run W2k then you can setup the remote access service on the W2k server and add static command on your PIX with conduit command to permit remote access from outside to your W2k server. then permit telnetting for this server to the inside interface... if you want exactly the command mail me again and I'll be pleased to help.. Bytheway there is no way to telnet on the outside interface... Magdy H. Ibrahim NRB wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Guys/Gurus, Can anyone please help me in setting up Telnet access on outside interface of PIX. I heard that we need to uses IPSec and Cisco VPN client. I do not have VPN client, can it still be done. Please help. Thanks, NRB Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=20277t=20271 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Telnet on PIX outside interface [7:20271]
With version 5.1, you can setup a vpdn/pptp connection to telnet to the outside interface of the pix. Watch the wrap. http://www.cisco.com/warp/public/110/pptppix.html -Original Message- From: Magdy H. Ibrahim [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 10:38 AM To: [EMAIL PROTECTED] Subject: Re: Telnet on PIX outside interface [7:20271] Hi, If your inside servers run W2k then you can setup the remote access service on the W2k server and add static command on your PIX with conduit command to permit remote access from outside to your W2k server. then permit telnetting for this server to the inside interface... if you want exactly the command mail me again and I'll be pleased to help.. Bytheway there is no way to telnet on the outside interface... Magdy H. Ibrahim NRB wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Guys/Gurus, Can anyone please help me in setting up Telnet access on outside interface of PIX. I heard that we need to uses IPSec and Cisco VPN client. I do not have VPN client, can it still be done. Please help. Thanks, NRB Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=20281t=20271 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Telnet on PIX outside interface [7:20271]
I was talking about normal telnetting from outside without extra setting for vpdn/pptp... Just my two cents;-) Regards,, Magdy Eric Hoffman wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... With version 5.1, you can setup a vpdn/pptp connection to telnet to the outside interface of the pix. Watch the wrap. http://www.cisco.com/warp/public/110/pptppix.html -Original Message- From: Magdy H. Ibrahim [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 10:38 AM To: [EMAIL PROTECTED] Subject: Re: Telnet on PIX outside interface [7:20271] Hi, If your inside servers run W2k then you can setup the remote access service on the W2k server and add static command on your PIX with conduit command to permit remote access from outside to your W2k server. then permit telnetting for this server to the inside interface... if you want exactly the command mail me again and I'll be pleased to help.. Bytheway there is no way to telnet on the outside interface... Magdy H. Ibrahim NRB wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Guys/Gurus, Can anyone please help me in setting up Telnet access on outside interface of PIX. I heard that we need to uses IPSec and Cisco VPN client. I do not have VPN client, can it still be done. Please help. Thanks, NRB Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=20282t=20271 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Telnet on PIX outside interface [7:20271]
If what you trying to do is telnet to the PIX outside interface, no can do. dave NRB wrote: Guys/Gurus, Can anyone please help me in setting up Telnet access on outside interface of PIX. I heard that we need to uses IPSec and Cisco VPN client. I do not have VPN client, can it still be done. Please help. Thanks, NRB -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=20283t=20271 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Telnet on PIX outside interface [7:20271]
Why don't you set up ssh. This can be done to the outside interface and is secure... -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: 18 September 2001 16:09 To: [EMAIL PROTECTED] Subject: Re: Telnet on PIX outside interface [7:20271] If what you trying to do is telnet to the PIX outside interface, no can do. dave NRB wrote: Guys/Gurus, Can anyone please help me in setting up Telnet access on outside interface of PIX. I heard that we need to uses IPSec and Cisco VPN client. I do not have VPN client, can it still be done. Please help. Thanks, NRB -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=20284t=20271 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Telnet on PIX outside interface [7:20271]
I set up telnet to the outside if with every PIX I send out the door. It does require IPSec and I use v6.01 and VPN client 3.0/3.1 (don't know the ins and outs on older versions). Below is a sample configuration that's actually in use, with the IP's changed to protect the innocent. Note that the basic elements include: defining an IP local pool, creating an access list with source address being the outside interface of the PIX and the destination being the IP Pool range. Then, of course, you have to do the telnet outside statement and the rest of the IPSec stuff. Note that with this configuration you would need to set up a client to go to address 99.12.192.121, with the username vpnuser and the password idontthinkso. Below is a sample, from a 506: PIX Version 6.0(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable xoxoxoxo passwd abababab hostname asdf ... ... access-list 91 permit ip host 99.12.192.121 192.168.210.0 255.255.255.0 ... ... ip address outside 99.12.192.121 255.255.255.224 ip address inside 192.168.1.1 255.255.255.0 ... ... ip local pool vpnpool 192.168.210.1-192.168.210.30 ... ... sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set triple esp-3des esp-md5-hmac crypto dynamic-map dynmap 20 set transform-set triple ... ... crypto map clientmap 20 ipsec-isakmp dynamic dynmap crypto map clientmap client configuration address initiate crypto map clientmap client configuration address respond crypto map clientmap interface outside isakmp enable outside ... isakmp client configuration address-pool local vpnpool outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 28800 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 1000 vpngroup vpnuser address-pool vpnpool vpngroup vpnuser idle-time 1800 vpngroup vpnuser password idontthinkso telnet 192.168.210.0 255.255.255.0 outside ... telnet timeout 5 ... ... - Original Message - From: MADMAN To: Sent: Tuesday, September 18, 2001 8:09 AM Subject: Re: Telnet on PIX outside interface [7:20271] If what you trying to do is telnet to the PIX outside interface, no can do. dave NRB wrote: Guys/Gurus, Can anyone please help me in setting up Telnet access on outside interface of PIX. I heard that we need to uses IPSec and Cisco VPN client. I do not have VPN client, can it still be done. Please help. Thanks, NRB -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=20290t=20271 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Telnet on PIX outside interface [7:20271]
Secure only in the sense that you can limit source IP's (which can possibly be circumvented) and that the session is encrypted so it is more difficult to sniff the password. However, this would possibly allow someone on the internet to gain access to the firewall and set up thier own rules to allow access to your inside network or take it completely down by wiping the config and changing the password on you. Just be weary of doing anything that allows people potential access to the hardware protecting it. Static commands can be set up to limit connections to inside hosts, but just imagine someone doing a DOS involving several thousand attempted telnet/ssh connections when that port is open You can't limit those on the outside interface since it is not controlled by a static statement. Personally I prefer setting up an IPSec tunnel to the inside and then telnetting to the inside interface with SSH. One step below that would be some kind of RAS to the inside. That at least adds an additional step the would-be hackers would have to navigate through with username/passwords in order to change access to the network from the outside. - Original Message - From: Burnham, Chris To: Sent: Tuesday, September 18, 2001 10:30 AM Subject: RE: Telnet on PIX outside interface [7:20271] Why don't you set up ssh. This can be done to the outside interface and is secure... -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: 18 September 2001 16:09 To: [EMAIL PROTECTED] Subject: Re: Telnet on PIX outside interface [7:20271] If what you trying to do is telnet to the PIX outside interface, no can do. dave NRB wrote: Guys/Gurus, Can anyone please help me in setting up Telnet access on outside interface of PIX. I heard that we need to uses IPSec and Cisco VPN client. I do not have VPN client, can it still be done. Please help. Thanks, NRB -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=20292t=20271 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Telnet on PIX outside interface [7:20271]
Gosh, that means you are allowing accessto your win2k servers from the outside... Remember... Microsoft doesn't belong on the internet... : ) On a serious note... Say you have a static statement to your internal host...What ports would you allow through? Surely you are not reffering to pcanywhere or win2k's remote management console? I would only recommend this if the source ip was ALWAYS the same and the acl would reflect that! (And even then as paranoid as I am I still wouldn't do it!) I might consider throwing a hardened linux box with absolutely no type of ftp/telnet client on it in the dmz. SSH to it, then re-ssh to the pix. And rename ssh while you are at it to something inconspicuous and take the execute attributes off of it! : ) my $.02 -Patrick Magdy H. Ibrahim 09/18/01 10:37AM Hi, If your inside servers run W2k then you can setup the remote access service on the W2k server and add static command on your PIX with conduit command to permit remote access from outside to your W2k server. then permit telnetting for this server to the inside interface... if you want exactly the command mail me again and I'll be pleased to help.. Bytheway there is no way to telnet on the outside interface... Magdy H. Ibrahim NRB wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Guys/Gurus, Can anyone please help me in setting up Telnet access on outside interface of PIX. I heard that we need to uses IPSec and Cisco VPN client. I do not have VPN client, can it still be done. Please help. Thanks, NRB Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=20299t=20271 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Telnet on PIX outside interface [7:20271]
If you need to access the outside interface of the pix, you can use the ssh command, which lets you access the pix via the outside interface. Command reference is located at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/ commands.htm#xtocid358475 For this to work you must have either single DES or triple DES enabled on your PIX, and the machine that is trying to access the outside interface of the PIX needs to be running ssh software, which you can download at http://hp.vector.co.jp/authors/VA002416/teraterm.html Eugene -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of NRB Sent: Tuesday, September 18, 2001 10:10 AM To: [EMAIL PROTECTED] Subject: Telnet on PIX outside interface [7:20271] Guys/Gurus, Can anyone please help me in setting up Telnet access on outside interface of PIX. I heard that we need to uses IPSec and Cisco VPN client. I do not have VPN client, can it still be done. Please help. Thanks, NRB [GroupStudy.com removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=20354t=20271 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
