hello, I deployed a simple pix to pix vpn, using isakmp. tftp server I Site1 - Pix1 ----internet----- Pix2 -- Site2 I admin team Is it possible to use the tftp server for pix2 configuration management ? Using the vpn, of course. I am unable to contact the tftp server from the pix2 (trying inside or outside interface for the tftp-server statement) Is it possible to administrate the pix2 through the vpn using ssh ? I am unable to ping/ssh the opposite pix directly from a site, passing through the vpn. The vpn is working perfectly from any computer of a site to computers of the opposite site. This is the second pix configuration. PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 fixup protocol dns maximum-length 512 fixup protocol ftp strict 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol http 81 fixup protocol http 82 fixup protocol http 83 fixup protocol http 84 fixup protocol http 85 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.0.0 site1_nwk name 192.168.0.2 tftp_server name 192.168.10.0 site2_nwk name 192.168.10.1 fw_site2 name *.*.*.* public_for_nat_site2 name *.*.*.* public_router_site2 name *.*.*.* public_fw_site2 name *.*.*.* public_fw_site1 object-group network site2 network-object site2_nwk 255.255.255.0 object-group network site1 network-object site1_nwk 255.255.255.0 access-list inside_access_in permit ip object-group site2 any access-list outside_access_in deny ip any any access-list vpn_2_to_1 permit ip site2_nwk 255.255.255.0 site1_nwk 255.255.255.0 access-list vpn_2_to_1 permit ip host public_fw_site2 site1_nwk 255.255.255.0 ip address outside public_fw_site2 255.255.255.248 ip address inside fw_site2 255.255.255.0 ip verify reverse-path interface outside global (outside) 1 public_for_nat_site2 nat (inside) 0 access-list vpn_2_to_1 nat (inside) 1 site2_nwk 255.255.255.0 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 public_router_site2 1 tftp-server outside tftp_server /fw_site2 sysopt connection permit-ipsec crypto ipsec transform-set trset3des esp-3des esp-md5-hmac crypto map outside_map 10 ipsec-isakmp crypto map outside_map 10 match address vpn_2_to_1 crypto map outside_map 10 set peer public_fw_site1 crypto map outside_map 10 set transform-set trset3des crypto map outside_map interface outside isakmp enable outside isakmp key ******** address public_fw_site1 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 ssh tftp_server 255.255.255.255 outside ssh tftp_server 255.255.255.255 inside
"[no] management-access <mgmt_if>" might be what you are looking for regarding the remote admin. Regards, Stefan
Thank tou, it solve my ssh trouble. Does anyone know how to use syslog and tftp for pix2 through pix ?