We have a PIX 501 at our office connected to a T1, and a PIX 515 at our colo. There's a VPN set up between the two, and we can access hosts behind "the other" router from either location. Now, I want to be able to access the PDM and do SNMP queries against the 515 over the VPN. It looks like the PIXes themselves don't know what to do with traffic for hosts on the other network... if there was a VPN interface, I'd try adding routing table entries. But there isn't, so I'm kinda stuck.
1) In your -existing- crypto map match-address ACL on the 515, add a line permitting traffic from the public interface IP (use the keyword "interface outside" if you are using PIX 6; possibly the actual IP address for PIX 7), with the destination being the host(s) that you want to monitor from; it wouldn't hurt to add the combination into the nat 0 access-list as well (and it might be necessary to make it work.) On the PIX 501, add the corresponding reverse entries. Have the monitoring software address the public outside IP of the 515.
If you use this approach, you do NOT need to add a new crypto map policy, just a couple of new ACL entries.
2) Create a new "management interface" VPN on the 515 attached to the -inside- interface. You might need a complete new crypto map for this, as in theory it is active against the inside interface instead of the outside. Check the documentation examples to be sure; I've never done this myself. Have the monitoring software address the private inside interface IP of the 515.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.