Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSH thru IPSEC VPN

I have a site-to-site VPN with a central PIX 515 and a remote PIX 501. I would like to be able to use SSH to manage and configure the remote PIX 501 from a server behind the central PIX 515. I have the VPN working perfectly, I am able to communicate from one network to the other, that is not an issue. But how to I get SSH traffic to traverse the VPN so that I can manage the PIX 501? I have included the configs of each PIX.

*****CENTRAL PIX 515*****

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XLcDKg3X8eBKlimL encrypted

passwd xo5R.SfbaDcRiV8y encrypted

hostname vabviburlpix

domain-name vabvi.org

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

names

access-list allowin permit icmp any any echo-reply

access-list allowin permit icmp any any source-quench

access-list allowin permit icmp any any unreachable

access-list allowin permit icmp any any time-exceeded

access-list allowin permit tcp any host 207.136.228.147 eq smtp

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.253.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0

access-list vpnacl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list vpnacl permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list vpnacl permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list vpnacl permit ip 192.168.1.0 255.255.255.0 192.168.253.0 255.255.255.0

access-list vpnacl permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0

pager lines 24

logging on

logging trap warnings

logging host inside 192.168.1.2

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 207.136.228.146 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm drop reset

ip audit attack action alarm drop reset

ip local pool adminpool 192.168.254.100

ip local pool clientpool 192.168.253.100-192.168.253.150

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.1.0 255.255.255.0 2000 1500

static (inside,outside) 207.136.228.147 192.168.1.2 netmask 255.255.255.255 1500 1000

access-group allowin in interface outside

route outside 0.0.0.0 0.0.0.0 207.136.228.145 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 192.168.1.2 wq3t!4FS timeout 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.2 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt security fragguard

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set vpntran esp-des esp-md5-hmac

crypto dynamic-map vpndynmap 10 set transform-set vpntran

crypto map dyn-map 20 ipsec-isakmp dynamic vpndynmap

crypto map dyn-map client authentication RADIUS

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 1000

vpngroup adminvpn address-pool adminpool

vpngroup adminvpn dns-server 192.168.1.2

vpngroup adminvpn wins-server 192.168.1.2

vpngroup adminvpn default-domain vabvi.org

vpngroup adminvpn split-tunnel vpnacl

vpngroup adminvpn idle-time 1800

vpngroup adminvpn password ********

vpngroup clientvpn address-pool clientpool

vpngroup clientvpn dns-server 192.168.1.2

vpngroup clientvpn wins-server 192.168.1.2

vpngroup clientvpn default-domain vabvi.org

vpngroup clientvpn split-tunnel vpnacl

vpngroup clientvpn idle-time 1800

vpngroup clientvpn password ********

telnet timeout 5

ssh 64.30.1.27 255.255.255.255 outside

ssh 64.30.2.70 255.255.255.255 outside

ssh 192.168.254.100 255.255.255.255 outside

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.1.2 255.255.255.255 inside

ssh timeout 5

terminal width 80

Cryptochecksum:3cbbb62ac83d7941b53a859cb083e1e4

*****REMOTE PIX 501*****

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XLcDKg3X8eBKlimL encrypted

passwd xo5R.SfbaDcRiV8y encrypted

hostname vabvimontpix

domain-name vabvi.org

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list allowin permit icmp any any echo-reply

access-list allowin permit icmp any any unreachable

access-list allowin permit icmp any any time-exceeded

access-list allowin permit icmp any any source-quench

access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list vpnacl permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging on

logging buffered warnings

logging trap warnings

logging host outside 192.168.1.2

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.2.1 255.255.255.0

ip audit info action alarm drop reset

ip audit attack action alarm drop reset

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.2.0 255.255.255.0 1500 1000

access-group allowin in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt security fragguard

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set vpntran esp-des esp-md5-hmac

crypto dynamic-map vpndynmap 10 set transform-set vpntran

crypto map burlmap 10 ipsec-isakmp

crypto map burlmap 10 match address vpnacl

crypto map burlmap 10 set peer 207.136.228.146

crypto map burlmap 10 set transform-set vpntran

crypto map burlmap interface outside

isakmp enable outside

isakmp key ******** address 207.136.228.146 netmask 255.255.255.255

isakmp peer ip 207.136.228.146 no-xauth no-config-mode

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet timeout 5

ssh 192.168.1.2 255.255.255.255 outside

ssh 207.136.228.147 255.255.255.255 outside

ssh 192.168.2.0 255.255.255.0 inside

ssh timeout 5

dhcpd address 192.168.2.100-192.168.2.131 inside

dhcpd dns 192.168.1.2 209.198.87.40

dhcpd wins 192.168.1.2

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain vabvi.org

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:c25de4073a21a35807c8074c1c0fb33e

Thank you for your help.

2 REPLIES
New Member

Re: SSH thru IPSEC VPN

Your ssh session should not traverse the VPN tunnel... From the perspective of the 501, the source of the ssh session is the global static adress of the server (207.136.228.147). The destination is its outside interface which is not explicitly defined within your 501 config.

Art

New Member

Re: SSH thru IPSEC VPN

Thanks, I have it doing that now so I guess I am all set.

111
Views
0
Helpful
2
Replies
CreatePlease to create content