Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

SSH and SMNP Inside Interface Management

Unanswered Question
Apr 16th, 2004
User Badges:

I have a PIX 515 connecting to a VPN3015 via a site to site tunnel. All communciations is working fine except I can't remotely connect to the inside interface via either SSH or SNMP. I have already configured the management-access inside for the PIX. SSH and SNMP work fine while your own the same IP segment as the PIX firewall but the moment you step accross the tunnel you are denied.

What am I missing in my config?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

Have you ever connected to it with ssh? If you have not, you might need to do the ca generate mojo.

If you have, do a show ssh:

is there a statement with the netblock and interface you are connecting from:

i.e: outside

SNMP - do a show snmp - do you have a snmp-server host outside x.x.x.x statement?

ehirsel Mon, 04/19/2004 - 05:37
User Badges:
  • Silver, 250 points or more

I do not believe that you can access the pix's inside interface address via a packet arriving on the outside interface. What I would do is one of these:

1. Allow ssh and snmp requests to terminate on the outside interface of the pix.

2. Grant remote access from the outside to an internal terminal server. Then launch a session from the terminal server to the pix. This is what I call indirect management.

The 2nd way is more secure as you have to have access to an internal network device prior to accessing the pix. However the drawback is that it relies on the pix's internal interface to work properly.

But no matter what case you use, if you cannot access the AAA server that performs authentication, you may not create the vpn session to the 3015 anyway - thus the purpose of troubleshooting the pix from a remote location can be defeated under this circumstance. However if you have local user accounts created on the 3015 and the pix for this case, you may be able to configure the 3015 to handle two classes of users, similar to setting up two different vpngroups on the pix.

Let me know if this helps, or if you need more assistance.


This Discussion