ssh to outside int of PIX 506 !!!

Discussion in 'Cisco' started by Todd, Dec 21, 2005.

  1. Todd

    Todd Guest

    We have a LAN-to-LAN VPN tunnel from a PIX in a branch office to VPN
    concentrator on our network. We are basically extending our LAN to the
    branch! All the traffic that they generate goes into that tunnel and
    comes to us.

    So everything generated from "130.1.x.x" going to "any" is put in the

    access-list VPN permit ip any

    In the opposite way, traffic from "any" comming to 130.1.x.x is
    expected to be encrypted and comming from the tunnel. If it is not -
    it's dropped!

    I am not sure if that's what is happening to my ssh traffic, even
    though its destination is a 65.x.x.x address -> the outside IP of the
    I do have an ssh statement in the config allowing me to enter the
    outside port. Actually i have a telnet and ssh statement allowing me
    access to the inside interface as well, with no success! I was hoping
    that it would work like a router and let me in through the inside int
    even though i'm comming from outside interface (through the tunnel) but
    it doesn't!

    The only way i can get to the PIX is to telnet to a switch behind it
    and from the switch telnet back to the PIX inside interface.

    Is there any way that i could get directly to the PIX without altering
    the VPN Tunnel configuration?

    Todd, Dec 21, 2005
    1. Advertisements

  2. The 'ssh' statement has to reflect the IP of the source as seen
    at the destination PIX [after decapsulation if the ssh traffic is
    going through the VPN tunnel.]

    Think about whether the outside IP of the remote PIX is in the
    same subnet that is being tunneled, and look at any 'static'
    and nat 0 access-list and policy-nat that you have constructed.
    Chances are you'll find that traffic to the outside IP of the
    remote PIX is being NAT'd, and that the 'ssh' you have set up
    on the remote PIX does not allow for that NAT'd IP. Remember,
    the outside IP of the remote PIX is not in the same subnet as the
    inside IP.

    There is also a solution that would allow you to address the
    inside IP of the remote PIX, but that would involve changing
    your VPN tunnel configuration, and so would violate the constraints
    you have set forth.
    Walter Roberson, Dec 21, 2005
    1. Advertisements

  3. Todd

    Todd Guest

    I found what my problem was.... I had not generated an rsa key on this

    Thanks for your help Walter!
    Todd, Dec 22, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.