Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
568
Views
0
Helpful
4
Replies

secure access to pix

mdlv
Level 1
Level 1

‎06-01-2004 12:28 PM - edited ‎02-20-2020 11:25 PM

I'm trying to secure my access to pix. To my knowledge accessing the pix with SSH and HTTPS are the two more common way of connecting. In version 6.3 was introduce the "management-access mgmt_if" command. I tried to use that on the inside interface without any success.

I set up a vpn with my cisco client. When I connect everything is fine except that I get only half of the feature. From the pix I can ping my pc, tftp to my pc syslog to my pc and I see that traffic is going to the vpn. But when I try to connect from my pc to the inside interface traffic is not going inside the tunnel.

It seems that I would need a loopback setup in the pix because when I SSH to the inside address the traffic is not going in the tunnel.

Is this command only good for outside access.

My ultimate goal would be to manage the PIX using a VPN from the inside interface using a certificate.

thanks

0 Helpful
4 Replies 4

mostiguy
Level 6
Level 6

‎06-01-2004 12:50 PM

what do your ssh commands look like? you need to allow access to the ip pool used by vpn clients

0 Helpful

mdlv
Level 1
Level 1
In response to mostiguy

‎06-01-2004 12:58 PM

ip local pool testpool 10.177.97.250-10.177.97.251

ssh 10.177.97.250 255.255.255.254 outside

ssh 10.177.97.250 255.255.255.254 inside

0 Helpful

pcomeaux
Cisco Employee
Cisco Employee

‎06-01-2004 01:47 PM

The management-access command was added for sitatuations like yours.

Can you verify that your interesting traffic ACL definition includes the inside interface IP address of the Pix?

Also, you should be able to ping the inside interface of the pix when VPN'd in once you apply the mgmt-int command. Can you do this?

thanks

peter

0 Helpful

mdlv
Level 1
Level 1
In response to pcomeaux

‎06-02-2004 01:09 PM

access-list inside_cryptomap_dyn_20 permit ip any 10.177.97.250 255.255.255.254

Not sure I understand the interesting. The IP address of my PC is 10.177.97.250 when I'm testing the firewall is 10.177.97.253.

I can ping with or without the VPN being up because I used icmp permit 10.177.0.0 255.255.0.0 inside

But I cannot use HTTPS or SSL to connect because (that's my guess) the VPN tunnel is establish between my PC and the interface inside of the PIX at 10.177.97.253. So when I try to SSL to the PIX the traffic is not encrypted in the tunnel as it is my end route for the tunnel. I have not seen any Cisco example of a working configuration for that.

thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card