Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Remote Access to Inside of PIX via VPN

Case Description: There is a PIX 501 firewall whose outside IP is assigned by DHCP server, while the inside is static 192.168.1.1. There are two computers behind this firewall (inside), with a private static IPs of 192.168.1.4 (Computer A) and 192.168.1.6 (Computer B), respectively. Now from Computer B, I go to its browser and enter http://192.168.1.1/startup.html, the PDM is started up. This is right, because the PIX 501 (inside) and the Computer B are on the LAN.

Now, let's do the same on a remote Computer C via VPN. First I connect the Computer C to the PIX 501 via already defined VPN. After the connection, from the Computer C (remote), I go to its browser and enter http://192.168.1.1/startup.html. Guess what--the PDM was never got launched. --Why? Or, Any configuration I did wrong?

Thanks to help.

Scott

(Here is what I udersatnd the VPN. After the connection via VPN, my remote computer will become part of the LAN. Therefore theorectically, if I can use Computer B to launch the PDM, I could also launch the same from Computer C, too, i.e., I should be able to access the inside interface of the PIX. But it failed to do so.)

6 REPLIES
Silver

Re: Remote Access to Inside of PIX via VPN

Scott,

Try this command, `managment-access inside' this allowed me to telnet and use PDM via the tunnel in PIX 6.3(4).

Andy

New Member

Re: Remote Access to Inside of PIX via VPN

Thanks for the response.

1) The statement: management-access inside is to be issued from the CML. How can I do the same from the PDM's GUI interface? There should be an equivalent way of configuration from the PDM's GUI interface.

2) Suppose the management-access inside is issued. Now there is an Oracle Enterprise Manager installed on Computer A (with a private local IP of 192.168.1.4 as in the Case Description). Now I want to launch the tool from a remote PC via VPN tunnel, so I'll enter to the browser http://192.168.1.4:5500/oem. Can I do this? Or, I have to do other configuration?

Thanks to help.

Scott

Gold

Re: Remote Access to Inside of PIX via VPN

assuming the remote vpn is working normally, http://192.168.1.4:5500/oem will work regardless whether the command "management-access inside" enabled or not.

the command "management-access inside" is merely used for managing the pix over ipsec.

Silver

Re: Remote Access to Inside of PIX via VPN

Scott,

The statement `mangement-access inside' is a configuration command that's applied to the PIX. It enables VPN users to have telnet and ping access to the PIX, as described in Cisco knowledge base article K17708166.

I needed this command when setting up a LAN to LAN tunnel between 2 sites, initially I was only using telnet to the PIX CLI.

Later I used PDM for ongoing management, so after reading the reply by Jackko and that KB article again I'm not sure if this command actually enabled PDM to work across the tunnel.

Gold

Re: Remote Access to Inside of PIX via VPN

Now, this is interesting, not so long ago I tried to access the PDM via L2L tunnel but no luck BUT when I enabled 'management-access inside' - BINGO! I could access PDM. So, not too sure on Jack Ko's answer as he his saying that you don't need the keyword 'management-access inside'.

PS. Hi Andy - How's the studies coming along?

Jay

Gold

Re: Remote Access to Inside of PIX via VPN

hi jay,

please have a second look at my previous post.

"assuming the remote vpn is working normally, http://192.168.1.4:5500/oem will work regardless whether the command "management-access inside" enabled or not.

the command "management-access inside" is merely used for managing the pix over ipsec."

i said that http://192.168.1.4:5500 will work regardless the command "management-access inside". now http://192.168.1.4:5500 is an internal host not the pix itself. and with the second paragraph, i pointed out that the command "management-access inside" is used for managing the pix.

would you please explain which part of my post went wrong? thanks in advance.

296
Views
14
Helpful
6
Replies