Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Tunneled Access To PIX Itself (for write net)?

(Head Office Network) <-> VPN 3030 <-> (Internet) <-> PIX 501 / PPPoE / VPNC <-> (Branch Network)

I can ssh and pdm to the dynamic public address of the PIX.

How can I tunnel to the PIX inside address? i.e. Use telnet to the known private address instead, travelling over the encrypted tunnel? (So I can write net back to a tftp server on the head office network. There is no tftp server on the branch network - nor do I want one.)

I can netmeeting and remote connect ot the workstations behind the PIX, but not to the PIX itself.

  • Other Security Subjects
6 REPLIES
Cisco Employee

Re: Tunneled Access To PIX Itself (for write net)?

You can't connect to (ping, SSH, telnet, anything) a PIX interface from another PIX interface. For example, you can't ping the outside address from the inside subnet. Similarly, if you come in over an encrypted tunnel from the outside, you can't ping, telnet, SSH, SNMP, etc to the inside interface. There is no way around this.

It has to do with the security algorithm in the PIX and the way packets are routed internally.

New Member

Re: Tunneled Access To PIX Itself (for write net)?

I get that.

It's a bug Cisco. Fix it.

i.e. We moved from frame-relay to PIX at Cisco's advice as being a frame-equivalent (functionally). Well, it's turning out not to be from a device management perspective.

I just want to get to the PIX at the known address (inside, since dynamic outside IP) and save the config as I always have with frame. telnet yada yada, copy run tftp. (With PIX, write net). I consider this a bug if this reasonable activity can't happen.

Cisco Employee

Re: Tunneled Access To PIX Itself (for write net)?

Just found out that in v6.3 (due around March) there'll be a *feature* that'll allow you to connect to the inside IP address when you come in over a VPN tunnel on the outside.

New Member

Re: Tunneled Access To PIX Itself (for write net)?

Thank you for that.

Is there a time frame for 6.3.

'course, now there's the cost of upgrading some 60-odd remote PIX.

Is there a way to get grandfathered in to that release?

Cisco Employee

Re: Tunneled Access To PIX Itself (for write net)?

6.3 is currently in open beta, so anyone can join in, you're welcome to open a TAC case and they should be able to provide the code for you. It's still beta code remember, so don't go putting it on all 60 of your PIX's just yet :-)

The only timeframe I have is as I said originally, due around March (probably more likely the end of March early April).

New Member

Re: Tunneled Access To PIX Itself (for write net)?

Thanks kindly.

Sorry, completely skipped over the March reference.

108
Views
0
Helpful
6
Replies