Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Manage PIX via VPN

I am setting up a LAN-to-LAN VPN between a VPN3030 and a PIX 501. I am able to pass traffic through the VPN from PCs or Servers on either side.

I would like to be able to telnet/ssh to the PIX over the VPN so that I am able to manage it remotely. I am currently unable to accomplish this. It appears that the VPN3030 is attempting to send the telnet traffic to the PIX (e.g. telnet to the inside interface IP address), but I never see any return traffic.

Is there a trick to making this work?

My PIX crypto config is:

access-list 101 permit ip 10.68.2.0 255.255.255.0 10.32.0.0 255.255.0.0

access-list 101 permit ip 10.68.2.0 255.255.255.0 172.16.0.0 255.240.0.0

access-list 101 permit ip 10.68.2.0 255.255.255.0 10.64.16.0 255.255.252.0

access-list nonat permit ip 10.68.2.0 255.255.255.0 10.32.0.0 255.255.0.0

access-list nonat permit ip 10.68.2.0 255.255.255.0 172.16.0.0 255.240.0.0

access-list nonat permit ip 10.68.2.0 255.255.255.0 10.64.16.0 255.255.252.0

sysopt connection permit-ipsec

crypto ipsec transform-set cptlxfrm esp-3des esp-md5-hmac

crypto map dovpn 10 ipsec-isakmp

crypto map dovpn 10 set peer 192.168.216.22

crypto map dovpn 10 set peer 192.168.216.21

crypto map dovpn 10 set transform-set cptlxfrm

crypto map dovpn interface outside

isakmp enable outside

isakmp key ******** address 192.168.216.22 netmask 255.255.255.255

isakmp key ******** address 192.168.216.21 netmask 255.255.255.255

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 28800

2 REPLIES
New Member

Re: Manage PIX via VPN

It seems that you are running 6.31 by the nat-traversal command. In that case you can enable the management with the command "management-access inside"

Then make sure that you have the ip address that you're trying to connect with set int the telnet or ssh or http statement.

New Member

Re: Manage PIX via VPN

That was it! Thanks.

84
Views
0
Helpful
2
Replies