Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
482
Views
0
Helpful
4
Replies

Where do the VPN tunnels terminate in a PIX ?

thult
Level 1
Level 1

‎05-22-2002 01:31 PM - edited ‎02-21-2020 11:45 AM

If I set up a tunnel from a PIX or a remote client to a central PIX, where in the central PIX do the tunnel terminates ?

A normal configuration is to bind the crypto and ISAKMP maps to the outside interface. Is the tunnel terminated there in that case ?

I have in a PIX to PIX configuration tried to allow a host behind PIX 1 to access PIX 2 with telnet, but I can not get that working.

If the configuration lookes like this: (as an example)

PIX1 Inside: 192.168.1.0/24

PIX1 Outside: 10.0.0.1

PIX2 Inside: 192.168.2.0/24

PIX2 Outside: 10.0.0.2

VPN tunnel between the PIX:es (pointing to the outside interfaces)

If I want a client on the PIX 1 inside net to telnet to PIX2 via the VPN, how will the telnet line look like on PIX2 and/or do I need any additional access-lists ?

(i.e telnet 192.168.1.10 255.255.255.255 outside....?)

Regards

//Tomas

Labels:
0 Helpful
4 Replies 4

srittenberg
Level 1
Level 1

‎05-22-2002 01:55 PM

it terminate at the outside interface. you should never allow telnet on your PIX on the outside interface. Use SSH only. Telnet is not secure, specially you have the option not to use telnet on PIX.

0 Helpful

thult
Level 1
Level 1
In response to srittenberg

‎05-22-2002 11:06 PM

OK, a stupid question gets this type of answer.

Of course you should not use telnet when administrating the PIX, as it sends data i clear text, but this was not what i asked.

If I change the question so that PIX2 has the following configuration:

SSH 192.168.1.10 255.255.255.255 outside or

SSH 192.168.1.10 255.255.255.255 inside or ...?

Should this work ? I do not get any respons fron PIX2. Which interface should the user point to, PIX2´s outside or inside interface ? (I want to use the IPSEC tunnel for the SSH traffic)

0 Helpful

srittenberg
Level 1
Level 1
In response to thult

‎05-23-2002 03:15 AM

It depends. The best way to use SSH command is to use the PAT IP if you are using PAT. If not, you could use PIX2's outside interface. If you are using NAT (in global), you could assign a static mapping to the PC that will manage PIX. does this help?

0 Helpful

r.nair
Level 1
Level 1
In response to srittenberg

‎05-28-2002 05:55 AM

Do the following, in the case of Site-to-Site VPN. Add access-list statement between the workstation that needs to manage the remote PIX and the outside interface address of remote PIX. This access-list ID shall be listed in nat(inside) 0 statement. Similar access-list statement shall be added in the remote PIX too.

I hope this helps!

0 Helpful
Customers Also Viewed These Support Documents