Re: Manage PIX via VPN

kevin_noll · ‎06-17-2003

I am setting up a LAN-to-LAN VPN between a VPN3030 and a PIX 501. I am able to pass traffic through the VPN from PCs or Servers on either side.

I would like to be able to telnet/ssh to the PIX over the VPN so that I am able to manage it remotely. I am currently unable to accomplish this. It appears that the VPN3030 is attempting to send the telnet traffic to the PIX (e.g. telnet to the inside interface IP address), but I never see any return traffic.

Is there a trick to making this work?

My PIX crypto config is:

access-list 101 permit ip 10.68.2.0 255.255.255.0 10.32.0.0 255.255.0.0

access-list 101 permit ip 10.68.2.0 255.255.255.0 172.16.0.0 255.240.0.0

access-list 101 permit ip 10.68.2.0 255.255.255.0 10.64.16.0 255.255.252.0

access-list nonat permit ip 10.68.2.0 255.255.255.0 10.32.0.0 255.255.0.0

access-list nonat permit ip 10.68.2.0 255.255.255.0 172.16.0.0 255.240.0.0

access-list nonat permit ip 10.68.2.0 255.255.255.0 10.64.16.0 255.255.252.0

sysopt connection permit-ipsec

crypto ipsec transform-set cptlxfrm esp-3des esp-md5-hmac

crypto map dovpn 10 ipsec-isakmp

crypto map dovpn 10 set peer 192.168.216.22

crypto map dovpn 10 set peer 192.168.216.21

crypto map dovpn 10 set transform-set cptlxfrm

crypto map dovpn interface outside

isakmp enable outside

isakmp key ******** address 192.168.216.22 netmask 255.255.255.255

isakmp key ******** address 192.168.216.21 netmask 255.255.255.255

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 28800

pdentico · ‎06-17-2003

It seems that you are running 6.31 by the nat-traversal command. In that case you can enable the management with the command "management-access inside"

Then make sure that you have the ip address that you're trying to connect with set int the telnet or ssh or http statement.

kevin_noll · ‎06-18-2003

That was it! Thanks.