Access Inside interface from Outside

snarayanaraju · ‎09-16-2009

Hi Experts,

I request your help in clarifying the scenario below in FWSM:

I want to access my INSIDE interface (ip address 10.1.1.1) from a server located in OUTSIDE interface (ip address 218.248.17.116).

I learned that it is not by default possible in FWSM to access an another interface (INSIDE) from one zone (OUTSIDE).

Is this possible to achieve if I configure IPSEC VPN in FWSM

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 group 2

isakmp policy 1 hash sha

isakmp enable OUTSIDE

crypto ipsec tran-set vpn esp-3des esp-sha-hmac

isakmp key SAIRAM address 218.248.17.116

access-list TUNNEL extended permit ip host 218.248.17.1 218.248.17.1 255.255.255.0

crypto map telnet_tunnel 2 ipsec-isakmp

crypto map telnet_tunnel 1 match address TUNNEL

crypto map telnet_tunnel 1 set peer 218.248.17.1

crypto map telnet_tunnel 1 set transform-set vpn

crypto map telnet_tunnel interface outside

telnet 218.248.17.0 255.255.255.0 OUTSIDE

Please share your valuable ideas .

THANKS IN ADVANCE

sairam

Jon Marshall · ‎09-16-2009

Sairam

Have a look at the "management-access" command which allows you to designate an interface that can be connected to from another zone -

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/command/reference/m.html#wp1637044

Jon

snarayanaraju · ‎09-16-2009

Hi Marshall,

Thanks for your ideas and suggestions.The link your provided is very helpful.

So, My requirement is also the same. I have a PRIMARY SNMP server in INSIDE zone and SECONDARY SNMP server in the OUTSIDE zone.

Since both the SNMP server should be configured with the same IP address of the , I should be able to reach the INSIDE interface IP address from the OUTSIDE zone.

Hope this configuration should work for my scenario

sairam