ssh and tftp through a pix to pix vpn

Discussion in 'Cisco' started by Blouz, Jan 27, 2005.

  1. Blouz

    Blouz Guest


    I deployed a simple pix to pix vpn, using isakmp.

    tftp server
    Site1 - Pix1 ----internet----- Pix2 -- Site2
    admin team

    Is it possible to use the tftp server for pix2 configuration
    management ?
    Using the vpn, of course.
    I am unable to contact the tftp server from the pix2 (trying inside or
    outside interface for the tftp-server statement)

    Is it possible to administrate the pix2 through the vpn using ssh ?
    I am unable to ping/ssh the opposite pix directly from a site, passing
    through the vpn.

    The vpn is working perfectly from any computer of a site to computers
    of the opposite site.

    This is the second pix configuration.

    PIX Version 6.3(3)

    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    fixup protocol dns maximum-length 512
    fixup protocol ftp strict 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol http 81
    fixup protocol http 82
    fixup protocol http 83
    fixup protocol http 84
    fixup protocol http 85
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    name site1_nwk
    name tftp_server

    name site2_nwk
    name fw_site2

    name *.*.*.* public_for_nat_site2
    name *.*.*.* public_router_site2
    name *.*.*.* public_fw_site2
    name *.*.*.* public_fw_site1

    object-group network site2
    network-object site2_nwk

    object-group network site1
    network-object site1_nwk

    access-list inside_access_in permit ip object-group site2 any
    access-list outside_access_in deny ip any any
    access-list vpn_2_to_1 permit ip site2_nwk site1_nwk
    access-list vpn_2_to_1 permit ip host public_fw_site2 site1_nwk

    ip address outside public_fw_site2
    ip address inside fw_site2
    ip verify reverse-path interface outside

    global (outside) 1 public_for_nat_site2
    nat (inside) 0 access-list vpn_2_to_1
    nat (inside) 1 site2_nwk 0 0

    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside

    route outside public_router_site2 1

    tftp-server outside tftp_server /fw_site2

    sysopt connection permit-ipsec
    crypto ipsec transform-set trset3des esp-3des esp-md5-hmac
    crypto map outside_map 10 ipsec-isakmp
    crypto map outside_map 10 match address vpn_2_to_1
    crypto map outside_map 10 set peer public_fw_site1
    crypto map outside_map 10 set transform-set trset3des
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address public_fw_site1 netmask
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400

    ssh tftp_server outside
    ssh tftp_server inside
    Blouz, Jan 27, 2005
    1. Advertisements

  2. "[no] management-access <mgmt_if>" might be what you are looking for
    regarding the remote admin.

    Stefan Gofferje, Jan 27, 2005
    1. Advertisements

  3. Thank tou, it solve my ssh trouble.
    Does anyone know how to use syslog and tftp for pix2 through pix ?
    julien.contal, Feb 2, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.