Communicating with PIX via VPN

Discussion in 'Cisco' started by John Oliver, Nov 3, 2006.

  1. John Oliver

    John Oliver Guest

    We have a PIX 501 at our office connected to a T1, and a PIX 515 at our
    colo. There's a VPN set up between the two, and we can access hosts
    behind "the other" router from either location. Now, I want to be able
    to access the PDM and do SNMP queries against the 515 over the VPN. It
    looks like the PIXes themselves don't know what to do with traffic for
    hosts on the other network... if there was a VPN interface, I'd try
    adding routing table entries. But there isn't, so I'm kinda stuck.

    --
    * John Oliver http://www.john-oliver.net/ *
     
    John Oliver, Nov 3, 2006
    #1
    1. Advertising

  2. In article <>,
    John Oliver <> wrote:
    >We have a PIX 501 at our office connected to a T1, and a PIX 515 at our
    >colo. There's a VPN set up between the two, and we can access hosts
    >behind "the other" router from either location. Now, I want to be able
    >to access the PDM and do SNMP queries against the 515 over the VPN. It
    >looks like the PIXes themselves don't know what to do with traffic for
    >hosts on the other network... if there was a VPN interface, I'd try
    >adding routing table entries. But there isn't, so I'm kinda stuck.


    You can proceed in either of two ways.

    1) In your -existing- crypto map match-address ACL on the 515,
    add a line permitting traffic from the public interface IP
    (use the keyword "interface outside" if you are using PIX 6;
    possibly the actual IP address for PIX 7), with the destination
    being the host(s) that you want to monitor from; it wouldn't
    hurt to add the combination into the nat 0 access-list as well
    (and it might be necessary to make it work.) On the PIX 501,
    add the corresponding reverse entries. Have the monitoring software
    address the public outside IP of the 515.

    If you use this approach, you do NOT need to add a new crypto map
    policy, just a couple of new ACL entries.

    2) Create a new "management interface" VPN on the 515 attached to
    the -inside- interface. You might need a complete new crypto map
    for this, as in theory it is active against the inside interface
    instead of the outside. Check the documentation examples to be sure;
    I've never done this myself. Have the monitoring software address
    the private inside interface IP of the 515.
     
    Walter Roberson, Nov 3, 2006
    #2
    1. Advertising

  3. John Oliver

    Brian V Guest

    "Walter Roberson" <> wrote in message
    news:fkx2h.249344$R63.40775@pd7urf1no...
    > In article <>,
    > John Oliver <> wrote:
    >>We have a PIX 501 at our office connected to a T1, and a PIX 515 at our
    >>colo. There's a VPN set up between the two, and we can access hosts
    >>behind "the other" router from either location. Now, I want to be able
    >>to access the PDM and do SNMP queries against the 515 over the VPN. It
    >>looks like the PIXes themselves don't know what to do with traffic for
    >>hosts on the other network... if there was a VPN interface, I'd try
    >>adding routing table entries. But there isn't, so I'm kinda stuck.

    >
    > You can proceed in either of two ways.
    >
    > 1) In your -existing- crypto map match-address ACL on the 515,
    > add a line permitting traffic from the public interface IP
    > (use the keyword "interface outside" if you are using PIX 6;
    > possibly the actual IP address for PIX 7), with the destination
    > being the host(s) that you want to monitor from; it wouldn't
    > hurt to add the combination into the nat 0 access-list as well
    > (and it might be necessary to make it work.) On the PIX 501,
    > add the corresponding reverse entries. Have the monitoring software
    > address the public outside IP of the 515.
    >
    > If you use this approach, you do NOT need to add a new crypto map
    > policy, just a couple of new ACL entries.
    >
    > 2) Create a new "management interface" VPN on the 515 attached to
    > the -inside- interface. You might need a complete new crypto map
    > for this, as in theory it is active against the inside interface
    > instead of the outside. Check the documentation examples to be sure;
    > I've never done this myself. Have the monitoring software address
    > the private inside interface IP of the 515.


    Why not simply use "management-access inside" and use the inside interface
    for your SNMP polls, PDM, ssh, whatever?
     
    Brian V, Nov 3, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tony
    Replies:
    2
    Views:
    473
    Jason Kau
    Dec 18, 2003
  2. Norman Zhang

    Communicating between 2 VLANs

    Norman Zhang, Aug 7, 2004, in forum: Cisco
    Replies:
    13
    Views:
    7,822
    Pete Mainwaring
    Aug 13, 2004
  3. Replies:
    0
    Views:
    457
  4. energymanz
    Replies:
    2
    Views:
    469
    Gary K
    Aug 23, 2003
  5. Stormy

    Communicating with COM1 in Win98se

    Stormy, May 23, 2004, in forum: Computer Support
    Replies:
    8
    Views:
    2,589
    Stormy
    May 28, 2004
Loading...

Share This Page