topic Re: secure access to pix in Network Security

secure access to pix

mdlv — Fri, 21 Feb 2020 07:25:56 GMT

I'm trying to secure my access to pix. To my knowledge accessing the pix with SSH and HTTPS are the two more common way of connecting. In version 6.3 was introduce the "management-access mgmt_if" command. I tried to use that on the inside interface without any success.

I set up a vpn with my cisco client. When I connect everything is fine except that I get only half of the feature. From the pix I can ping my pc, tftp to my pc syslog to my pc and I see that traffic is going to the vpn. But when I try to connect from my pc to the inside interface traffic is not going inside the tunnel.

It seems that I would need a loopback setup in the pix because when I SSH to the inside address the traffic is not going in the tunnel.

Is this command only good for outside access.

My ultimate goal would be to manage the PIX using a VPN from the inside interface using a certificate.

thanks

Re: secure access to pix

mostiguy — Tue, 01 Jun 2004 19:50:19 GMT

what do your ssh commands look like? you need to allow access to the ip pool used by vpn clients

Re: secure access to pix

mdlv — Tue, 01 Jun 2004 19:58:19 GMT

ip local pool testpool 10.177.97.250-10.177.97.251

ssh 10.177.97.250 255.255.255.254 outside

ssh 10.177.97.250 255.255.255.254 inside

Re: secure access to pix

pcomeaux — Tue, 01 Jun 2004 20:47:25 GMT

The management-access command was added for sitatuations like yours.

Can you verify that your interesting traffic ACL definition includes the inside interface IP address of the Pix?

Also, you should be able to ping the inside interface of the pix when VPN'd in once you apply the mgmt-int command. Can you do this?

thanks

peter

Re: secure access to pix

mdlv — Wed, 02 Jun 2004 20:09:51 GMT

access-list inside_cryptomap_dyn_20 permit ip any 10.177.97.250 255.255.255.254

Not sure I understand the interesting. The IP address of my PC is 10.177.97.250 when I'm testing the firewall is 10.177.97.253.

I can ping with or without the VPN being up because I used icmp permit 10.177.0.0 255.255.0.0 inside

But I cannot use HTTPS or SSL to connect because (that's my guess) the VPN tunnel is establish between my PC and the interface inside of the PIX at 10.177.97.253. So when I try to SSL to the PIX the traffic is not encrypted in the tunnel as it is my end route for the tunnel. I have not seen any Cisco example of a working configuration for that.

thanks