Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Remote Access to Inside of PIX via VPN

Case Description: There is a PIX 501 firewall whose outside IP is assigned by DHCP server, while the inside is static 192.168.1.1. There are two computers behind this firewall (inside), with a private static IPs of 192.168.1.4 (Computer A) and 192.168.1.6 (Computer B), respectively. Now from Computer B, I go to its browser and enter http://192.168.1.1/startup.html, the PDM is started up. This is right, because the PIX 501 (inside) and the Computer B are on the LAN.

Now, let's do the same on a remote Computer C via VPN. First I connect the Computer C to the PIX 501 via already defined VPN. After the connection, from the Computer C (remote), I go to its browser and enter http://192.168.1.1/startup.html. Guess what--the PDM was never got launched. --Why? Or, Any configuration I did wrong?

Thanks to help.

Scott

(Here is what I udersatnd the VPN. After the connection via VPN, my remote computer will become part of the LAN. Therefore theorectically, if I can use Computer B to launch the PDM, I could also launch the same from Computer C, too, i.e., I should be able to access the inside interface of the PIX. But it failed to do so.)

  • Other Security Subjects
1 REPLY
Cisco Employee

Re: Remote Access to Inside of PIX via VPN

You can not generally ping/telnet/ssh/http to a pix interface from a host connected off another interface. From computerB try browsing/pinging the PIX's outside interface, you won't be able to do it. This is the same as what you're trying to do with computerC on th eoutside interface (even over a VPN) and getting to the inside interface.

Now, luckily, because we figured lot's of people would have VPN's built to remote PIX's getting dynamic outside IP addresses, the developers added a command to allow you to get to the inside interface of a PIX, but only if you come in over a VPN. The command you want is:

management-access inside

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#wp1137951

Now you'll also need the "http ...." command, but I can't remember if you specify the inside or outside interface (you're actually connecting to the inside but coming from the outside), I think it's the inside if I remember correctly. Have a play around, but the management-access command will get you started anyway.

79
Views
0
Helpful
1
Replies
This widget could not be displayed.