Re: VPN - access PIX internal interface

justinvo · ‎02-17-2003

What I want to setup is a LAN to LAN VPN connection between a PIX 501 and a VPN 3000 Concentrator. So far, I can get the VPN established and host to host connectivity is working. The only problem I have is that I would like to get a PC from the central office to access the Internal interface of the PIX 501 (remote network).

I have follow strictly the documentation provided by TAC.

http://www.cisco.com/warp/customer/471/ALTIGA_pix.html

http://www.cisco.com/warp/customer/471/pix501506_vpn3k.html

PCB ---PIX-----Internet----VPN3000----PCA

I can get

* PCA can ping and telnet to PCB

* PCB can ping and telnet to PCA

* PCA can't ping or telnet to PIX 501's internal interface

The software version is PIX=6.22 and VPN3000=3.5.2

Please advise if this is possible and perhaps a solution for this problem.

Much thanks and appreciated.

nsteup · ‎02-18-2003

Hi,

guess you want to manage the PIX from PCA, don't you? You have to define a VPN-Tunnel from PCA to outside interface of the PIX. Then allow telnet or ssh or pdm access from PCA on inteface outside. This seems to be unsecure but as far as I know, this is the only way to manage the pix through VPN-tunnel.

Hope this helps

Norbert

ajagadee · ‎02-20-2003

Hi,

You cannot access the inside interface of the Pix through an IPSec tunnel. Couple of options:

1. You can telnet from PCA to PCB and then telnet from PCB to the inside of Pix.

2. Add the outside ip address of the Pix to the interesting traffic. That is , network behind the VPN3000 to the outside ip address of the Pix. Again, this is for telnet access to the outside interface.

3. Configure SSH on the outside interface for remote management.

Regards,

Arul