Managing PIX behind a VPN.

Let me add more details. If from the remote side I want to reach a PC (say through RDP 3389) I can see the PIX opening an inbound connection from the

/port to inside:/port

That is correct because the PC resides on the same segment of the inside interface of the PIX. When I want to reach the inside interface of the PIX which I specified as management interface I just see

Discarded TCP from /port to outside:/port.

So the interface it's refers to is not more the inside but the outside. And that's weird to me. As already said I put an ACL that allow traffic going to the IP address of the PIX inside interface but when I try to use ASDM from remote the PIX itself says to me that it blocks it. So the problem is not (?) an ACL on the outside ACL.

Does it maybe related to the fact that I need to specified that the origin of the traffic is outside and the destination is the outside again? and therefore do I need to enable the "permit traffic to flow between interface with the same security level"?

TIA Alex.

Hi Alex, You need to configure an acl to permit inbound flow from the outside and add the external hosts (and set up management interface inside as you already done) Let's say lan ADMIN is on the outside and PRIV on the inside

you should have a no nat statement: access-list inside_outbound_nat0_acl permit ip PRIV 255.255.255.0 ADMIN

255.255.255.0 applied in your crypto map : nat (inside) 0 access-list inside_outbound_nat0_acl This line : sysopt connection permit-ipsec to avoid putting complex acl at 1st

and these lines to manage the pix : telnet ADMIN 255.255.255.0 outside http ADMIN 255.255.255.0 outside ssh ADMIN 255.255.255.0 outside

tftp part now There is now way to write : copy /source inside run /file you can only do : copy running ://file

The acl will allow to make it

Then you have to write in config mode : tftp-server inside /pix515.conf and wr mem will work

Hope this helps Daniel

AM wrote:

the PIX opening an inbound connection from

interface of the PIX.

management interface I just see

that's weird to me.

PIX inside interface but when I try to

problem is not (?) an ACL on the outside ACL.

the traffic is outside and the destination

flow between interface with the same

Hi Daniel,

The VPN between the two LANs has been working very fine for the last 1 year and half. So I think the VPN parameters are right.

correct, as I did.

That line is not really needed, I prefer to manage also the traffic coming from the VPN. On the outside interface there is a statement allowing IP traffic from ADMIN LAN to the IP address of inside interface.

why? As the chosen interface for management is the inside one I specified "http ADMIN 255.255.255.0 inside", meaning I can reach the PIX through http on the inside interface (from ADMIN LAN).There is a similar rule for the PRIV LAN. Obviously I need to allow that traffic on the outside interface because that traffic is seen as incoming on the outside. That was done for the ssh and telnet incoming connections.

Did you mean wr net?

Thank you for taking your time to me.

Alex.

from the VPN. On the outside interface there

"http ADMIN 255.255.255.0 inside", meaning I

is a similar rule for the PRIV LAN. from my experience it's not enough, wahtever the access-lists are you have to point out which hosts/networks are allowed to http/telnet/ssh

traffic is seen as incoming on the outside.

yes of course (knots in fingers :-o )