ssh to outside int of PIX 506 !!!

We have a LAN-to-LAN VPN tunnel from a PIX in a branch office to VPN concentrator on our network. We are basically extending our LAN to the branch! All the traffic that they generate goes into that tunnel and comes to us.

So everything generated from "130.1.x.x" going to "any" is put in the tunnel.

access-list VPN permit ip any

In the opposite way, traffic from "any" comming to 130.1.x.x is expected to be encrypted and comming from the tunnel. If it is not - it's dropped!

I am not sure if that's what is happening to my ssh traffic, even though its destination is a 65.x.x.x address -> the outside IP of the PIX. I do have an ssh statement in the config allowing me to enter the outside port. Actually i have a telnet and ssh statement allowing me access to the inside interface as well, with no success! I was hoping that it would work like a router and let me in through the inside int even though i'm comming from outside interface (through the tunnel) but it doesn't!

The only way i can get to the PIX is to telnet to a switch behind it and from the switch telnet back to the PIX inside interface.

Is there any way that i could get directly to the PIX without altering the VPN Tunnel configuration?

Thanks, Todd

Reply to
Loading thread data ...

The 'ssh' statement has to reflect the IP of the source as seen at the destination PIX [after decapsulation if the ssh traffic is going through the VPN tunnel.]

Think about whether the outside IP of the remote PIX is in the same subnet that is being tunneled, and look at any 'static' and nat 0 access-list and policy-nat that you have constructed. Chances are you'll find that traffic to the outside IP of the remote PIX is being NAT'd, and that the 'ssh' you have set up on the remote PIX does not allow for that NAT'd IP. Remember, the outside IP of the remote PIX is not in the same subnet as the inside IP.

There is also a solution that would allow you to address the inside IP of the remote PIX, but that would involve changing your VPN tunnel configuration, and so would violate the constraints you have set forth.

Reply to
Walter Roberson

I found what my problem was.... I had not generated an rsa key on this pix.

Thanks for your help Walter!

Reply to
Todd Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.