ssh and tftp through a pix to pix vpn

hello,

I deployed a simple pix to pix vpn, using isakmp.

tftp server
I
Site1 - Pix1 ----internet----- Pix2 -- Site2
I
admin team


Is it possible to use the tftp server for pix2 configuration
management ?
Using the vpn, of course.
I am unable to contact the tftp server from the pix2 (trying inside or
outside interface for the tftp-server statement)


Is it possible to administrate the pix2 through the vpn using ssh ?
I am unable to ping/ssh the opposite pix directly from a site, passing
through the vpn.

The vpn is working perfectly from any computer of a site to computers
of the opposite site.


This is the second pix configuration.

PIX Version 6.3(3)

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp strict 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 81
fixup protocol http 82
fixup protocol http 83
fixup protocol http 84
fixup protocol http 85
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.0 site1_nwk
name 192.168.0.2 tftp_server

name 192.168.10.0 site2_nwk
name 192.168.10.1 fw_site2

name *.*.*.* public_for_nat_site2
name *.*.*.* public_router_site2
name *.*.*.* public_fw_site2
name *.*.*.* public_fw_site1


object-group network site2
network-object site2_nwk 255.255.255.0

object-group network site1
network-object site1_nwk 255.255.255.0

access-list inside_access_in permit ip object-group site2 any
access-list outside_access_in deny ip any any
access-list vpn_2_to_1 permit ip site2_nwk 255.255.255.0 site1_nwk
255.255.255.0
access-list vpn_2_to_1 permit ip host public_fw_site2 site1_nwk
255.255.255.0

ip address outside public_fw_site2 255.255.255.248
ip address inside fw_site2 255.255.255.0
ip verify reverse-path interface outside

global (outside) 1 public_for_nat_site2
nat (inside) 0 access-list vpn_2_to_1
nat (inside) 1 site2_nwk 255.255.255.0 0 0

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 public_router_site2 1

tftp-server outside tftp_server /fw_site2

sysopt connection permit-ipsec
crypto ipsec transform-set trset3des esp-3des esp-md5-hmac
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address vpn_2_to_1
crypto map outside_map 10 set peer public_fw_site1
crypto map outside_map 10 set transform-set trset3des
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address public_fw_site1 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

ssh tftp_server 255.255.255.255 outside
ssh tftp_server 255.255.255.255 inside

 

"[no] management-access <mgmt_if>" might be what you are looking for
regarding the remote admin.

Regards,
Stefan

 

Thank tou, it solve my ssh trouble.
Does anyone know how to use syslog and tftp for pix2 through pix ?