Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Multiple Pix and ssh

This is a long one and I appologize if it seems rather simple but I need some help.

We have a single 2620 router and 2 PIX firewalls, one with 2 interfaces (Pix02) and one with 3 interfaces (Pix01), behind it. The networks are all subnetted from a single class A address given to us from our ISP. I will explain using a different ip address space.


ISP assigned address space (Class A address used as Class C address)

2620 inside ip

Pix01 outside ip

Pix01 dmz ip

Pix01 inside

Pix02 outside ip

Pix02 inside

We have 4 networks in our address space: (2620 inside, Pix01 outside, Pix02 outside) (Pix02 inside) (Pix01 dmz) (Pix01 inside)

Please tell me this makes sense to someone besides me. I inherited this system and added the second Pix to split up our network for certain reasons. My first question is, is this a smart way to do things? I did not get the 4th interface for our first Pix because we had another Pix just lying around. In most architectures I have looked at, there aren't 2 Pix's behind a single router unless they are being load balanced or used for failover. Being that this is still a learnign process for me I feel unsure about the foundation of our setup.

My second question relates to communication to and from Pix02. I am attempting to use an ssh client to manage Pix02 from behind Pix01. To explain, I have a network management station at (Pix01 inside), that I use to ssh to Pix01. This is not a problem, it works great but no matter what I allow in our out I can not ssh to Pix02. There is also no syslog errors or warning coming from Pix01 when attempting to communicate to Pix02. Is this due to some underlying rule that doesn't allow ssh to an outside interface of a Pix? or am I just not setting up the Pix's properly?

I have done:

Got DES keys for both Pix's

ca generate rsa key 1024 (on both)

Pix01 no access list is necessary since I am access from the inside


access-list outside_acl permit tcp host any eq ssh

access-group outside_acl in interface outside

ssh outside

Is there something I am missing? I can reach Pix01 from the management station, just not Pix02. Any help is greatly apprecieated. Sorry about the length of this post, I just felt it necessary to give as much information as I can.


Kevin Hutton


Re: Multiple Pix and ssh

The following URL might help with your questions.

CreatePlease login to create content