ssh and tftp through a pix to pix vpn

Discussion in 'Cisco' started by Blouz, Jan 27, 2005.

  1. Blouz

    Blouz Guest

    hello,

    I deployed a simple pix to pix vpn, using isakmp.

    tftp server
    I
    Site1 - Pix1 ----internet----- Pix2 -- Site2
    I
    admin team


    Is it possible to use the tftp server for pix2 configuration
    management ?
    Using the vpn, of course.
    I am unable to contact the tftp server from the pix2 (trying inside or
    outside interface for the tftp-server statement)


    Is it possible to administrate the pix2 through the vpn using ssh ?
    I am unable to ping/ssh the opposite pix directly from a site, passing
    through the vpn.

    The vpn is working perfectly from any computer of a site to computers
    of the opposite site.


    This is the second pix configuration.

    PIX Version 6.3(3)

    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    fixup protocol dns maximum-length 512
    fixup protocol ftp strict 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol http 81
    fixup protocol http 82
    fixup protocol http 83
    fixup protocol http 84
    fixup protocol http 85
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.0.0 site1_nwk
    name 192.168.0.2 tftp_server

    name 192.168.10.0 site2_nwk
    name 192.168.10.1 fw_site2

    name *.*.*.* public_for_nat_site2
    name *.*.*.* public_router_site2
    name *.*.*.* public_fw_site2
    name *.*.*.* public_fw_site1


    object-group network site2
    network-object site2_nwk 255.255.255.0

    object-group network site1
    network-object site1_nwk 255.255.255.0

    access-list inside_access_in permit ip object-group site2 any
    access-list outside_access_in deny ip any any
    access-list vpn_2_to_1 permit ip site2_nwk 255.255.255.0 site1_nwk
    255.255.255.0
    access-list vpn_2_to_1 permit ip host public_fw_site2 site1_nwk
    255.255.255.0

    ip address outside public_fw_site2 255.255.255.248
    ip address inside fw_site2 255.255.255.0
    ip verify reverse-path interface outside

    global (outside) 1 public_for_nat_site2
    nat (inside) 0 access-list vpn_2_to_1
    nat (inside) 1 site2_nwk 255.255.255.0 0 0

    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside

    route outside 0.0.0.0 0.0.0.0 public_router_site2 1

    tftp-server outside tftp_server /fw_site2

    sysopt connection permit-ipsec
    crypto ipsec transform-set trset3des esp-3des esp-md5-hmac
    crypto map outside_map 10 ipsec-isakmp
    crypto map outside_map 10 match address vpn_2_to_1
    crypto map outside_map 10 set peer public_fw_site1
    crypto map outside_map 10 set transform-set trset3des
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address public_fw_site1 netmask 255.255.255.255
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400

    ssh tftp_server 255.255.255.255 outside
    ssh tftp_server 255.255.255.255 inside
     
    Blouz, Jan 27, 2005
    #1
    1. Advertisements

  2. "[no] management-access <mgmt_if>" might be what you are looking for
    regarding the remote admin.

    Regards,
    Stefan
     
    Stefan Gofferje, Jan 27, 2005
    #2
    1. Advertisements

  3. Thank tou, it solve my ssh trouble.
    Does anyone know how to use syslog and tftp for pix2 through pix ?
     
    julien.contal, Feb 2, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.