PIX 501 SSH From Different Subnet

lsittechsupport · ‎01-30-2011

Hello,

I have a spare pix 501 that I am learning to configure to replace one in our remote office. Only reasons for this is for me to learn and to also remove years worth of redundant ACL's from previous requirements.

We have a few offices connected via pix vpn tunnels and remote management from Head Office is a must.

Whilst i am configuring it. The only cables connected to the pix are: power / one network cable plugged into network port 1 / console cable connected to pc.

Currently I can ssh into the pix from within the same subnet but not from a different one.

internal IP Range of Remote Office is 172.19.13.0 255.255.255.0

internal IP Range if Head Office is 10.68.0.0 255.255.254.0

PIX 501 Conf

ip address inside 172.19.13.1 255.255.255.0

ssh 172.19.13.0 255.255.255.0 inside (this works fine)

ssh 10.68.0.0 255.255.254.0 outside (doesn't work)

ssh 10.68.0.0 255.255.254.0 inside (doesn't work)

As I am new to the pix and teaching myself chances are I have overlooked something. Any advice would be greatly appreciated.

Thanks

Stephen

Federico Coto Fajardo · ‎01-30-2011

Hi,

These commands:

ssh 10.68.0.0 255.255.254.0 outside (doesn't work)

ssh 10.68.0.0 255.255.254.0 inside (doesn't work)

Where does the 10.68.0.0/23 resides? (outside or inside).

For you to be able to SSH from 10.68.0.0/23 to the PIX, you should be able to PING from that network to the PIX.

Also, if 10.68.0.0/23 is through a VPN tunnel, the management-access inside should be enabled to SSH to the inside IP.

Federico.

lsittechsupport · ‎01-30-2011

Hi Federico,

Thanks for replying.

i have added the line

management-access inside

10.68.0.0/23 is the Head Office location and currently where the 501 is being configured.

172.19.13.0 is the Remote Office Location.

Currently I have a Test PC running an IP Address for both networks so that I can configure it and test.

From that Test PC I can both ping and ssh into the PIX 501 which has IP Address 172.19.13.1

From my actual work pc which resides on the 10.68.0.0/23 network I am unable to ping 172.19.13.1

I have also added

access-list inside_access_in permit icmp any any

inside_access_in is the access list attached to the inside interface. i thought perhaps this would allow me to ping from my subnet but still it times out.

cheers

Federico Coto Fajardo · ‎01-30-2011

Ok so 172.19.13.1 is the inside IP address of the PIX correct?

Two scenarios:

1. If 10.68.0.0/23 is inside the 501, then you require a route on the PIX pointing to that network. You need to be able to PING from the PIX to that IP.

2. If on the other hand, 10.68.0.0/23 is outside the PIX, you require a route pointing to the outside and also be able to PING.

Important note:

A computer on the inside can only PING the inside IP of the PIX.

A computer on the outside can only PING the outside IP of the PIX.

This means that an outside computer cannot PING the inside IP (and vice versa).

The management-access inside is only required when coming through a VPN tunnel to be able to manage the inside interface.

Federico.