Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

yeo
New Member

Multiple Pix and ssh

This is a long one and I appologize if it seems rather simple but I need some help.

We have a single 2620 router and 2 PIX firewalls, one with 2 interfaces (Pix02) and one with 3 interfaces (Pix01), behind it. The networks are all subnetted from a single class A address given to us from our ISP. I will explain using a different ip address space.

Ex.

ISP assigned address space 66.1.1.0 (Class A address used as Class C address)

2620 inside ip 66.1.1.1 255.255.255.224

Pix01 outside ip 66.1.1.2 255.255.255.224

Pix01 dmz ip 66.1.1.65 255.255.255.192

Pix01 inside 66.1.1.129 255.255.255.128

Pix02 outside ip 66.1.1.3 255.255.255.224

Pix02 inside 66.1.1.33 255.255.255.224

We have 4 networks in our address space:

66.1.1.0 (2620 inside, Pix01 outside, Pix02 outside)

66.1.1.32 (Pix02 inside)

66.1.1.64 (Pix01 dmz)

66.1.1.128 (Pix01 inside)

Please tell me this makes sense to someone besides me. I inherited this system and added the second Pix to split up our network for certain reasons. My first question is, is this a smart way to do things? I did not get the 4th interface for our first Pix because we had another Pix just lying around. In most architectures I have looked at, there aren't 2 Pix's behind a single router unless they are being load balanced or used for failover. Being that this is still a learnign process for me I feel unsure about the foundation of our setup.

My second question relates to communication to and from Pix02. I am attempting to use an ssh client to manage Pix02 from behind Pix01. To explain, I have a network management station at 66.1.1.150 (Pix01 inside), that I use to ssh to Pix01. This is not a problem, it works great but no matter what I allow in our out I can not ssh to Pix02. There is also no syslog errors or warning coming from Pix01 when attempting to communicate to Pix02. Is this due to some underlying rule that doesn't allow ssh to an outside interface of a Pix? or am I just not setting up the Pix's properly?

I have done:

Got DES keys for both Pix's

ca generate rsa key 1024 (on both)

Pix01 no access list is necessary since I am access from the inside

Pix02:

access-list outside_acl permit tcp host 66.1.1.150 any eq ssh

access-group outside_acl in interface outside

ssh 66.1.1.150 255.255.255.255 outside

Is there something I am missing? I can reach Pix01 from the management station, just not Pix02. Any help is greatly apprecieated. Sorry about the length of this post, I just felt it necessary to give as much information as I can.

Thanks,

Kevin Hutton

1 REPLY
Bronze

Re: Multiple Pix and ssh

The following URL might help with your questions.

http://www.cisco.com/warp/public/707/index.shtml

140
Views
0
Helpful
1
Replies
CreatePlease login to create content