Cannot manage remote pix through vpn tunnel

Posted on 2006-05-02
Medium Priority
Last Modified: 2013-12-03
I have a vpn tunnel from the pix 501(static ip) at my main office and the pix 501(dynamic ip) at my house.
 I configured the tunnel just as this cisco article says:


Here is the dynamic pix config:

IX Version 6.3(5)                  
interface ethernet0 100full                          
interface ethernet1 100full                          
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password msagqD6P encrypted                                          
passwd msagqD6P encrypted                                
hostname Pix                
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol pptp 1723                        
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp                    
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
access-list inside_access_in permit tcp any any                                              
access-list inside_access_in permit udp any any                                              
access-list inside_access_in permit icmp any any                                                
access-list inside_access_in permit ip any any                                              
access-list outside_access_in permit icmp any any echo-reply                                                            
access-list 101 permit ip                                                                            
pager lines 24              
mtu outside 1500                
mtu inside 1500              
ip address outside dhcp setroute                                
ip address inside                                          
ip audit info action alarm                          
ip audit attack action alarm                            
pdm location inside                                                
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 0 access-list 101                              
nat (inside) 1 0 0                                  
access-group outside_access_in in interface outside                                                  
access-group inside_access_in in interface inside                                                
route inside 1                                                    
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10                                                          
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout sip-disconnect 0:02:00 sip-invite 0:03:00                                                
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ deadtime 10                              
aaa-server RADIUS protocol radius                                
aaa-server RADIUS max-failed-attempts 3                                      
aaa-server RADIUS deadtime 10                            
aaa-server LOCAL protocol local                              
http server enable                                                          
http inside                                    
no snmp-server location                      
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
crypto ipsec transform-set myset esp-des esp-md5-hmac                                                    
crypto map newmap 10 ipsec-isakmp                                
crypto map newmap 10 match address 101                                      
crypto map newmap 10 set peer                                          
crypto map newmap 10 set transform-set myset                                            
crypto map newmap interface outside                                  
isakmp enable outside                    
isakmp key ******** address netmask
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
telnet inside
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd dns
dhcpd wins
dhcpd lease 99999
dhcpd ping_timeout 750
dhcpd domain domain.local
dhcpd enable inside
terminal width 80
: end

The tunnel works great except for the fact that I cannot remotely manage either pix with telnet ot http while at the other site.

Is there a way to configure this to work?
Question by:hindsight
  • 4
  • 2
LVL 20

Expert Comment

ID: 16593134
Just add this to your the config(s):
  management-access inside

Assuming you don't have an IP conflicts - ie, home LAN IP range doesn't overlap w/ inside LAN behind PIX you'll be set.

LVL 20

Expert Comment

ID: 16593141
NOTE: the above command is a new feature in PIX 6.3 series.
LVL 32

Expert Comment

ID: 16622492
I'm not quite sure if it will allow to manage the PIX through remote VPN, but Calivinetter knows better. Other option is to first connect through VPN then RDP into a machine inside the other network. Then, telnet back to PIX from that machine and it should let you do it.

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 20

Expert Comment

ID: 16623205
Yes I'm quite sure Rajesh!  ;)  It works.

LVL 32

Expert Comment

ID: 16623617
Perfect, then there goes the solution to the problem.


Author Comment

ID: 16636143
Tried the command but it didnt seem to work.

 RDP is already what I am using. Actually another workaround I came up with is to go into pix device manager at the main site to find out what the current IP at my house is, then remote into the WAN side of the remote pix. (I made a policy to allow the IP at my main office to access the pix through http on the public side)

Only problem with that is the remote config (from cisco) causes a "unsupported command" problem with pix device manager (something to do with access list 101 not being bound to the outside interface) and I cant use it to edit the config normally. Though I am able to use the command line option from device manager.

Mainly I'd just like to be able to connect to it in one step by just telnetting from the main office in one step
LVL 20

Accepted Solution

calvinetter earned 2000 total points
ID: 16636676
>Tried the command but it didnt seem to work.
  Did you run the command on the PIX that you're trying to get to (PIX at your house)?  It works, with a properly configured VPN.  

  You really should have a separate ACL for matching the site-to-site traffic, on both PIXes; run this on the home PIX (yes, the ACL below should be identical to your ACL 101); also remove the redundant ACL on the inside of the PIX:
  no access-group inside_access_in in interface inside
  access-list site_acl permit ip
  crypto map newmap 10 match address site_acl
  clear cry isa sa
  clear cry ips sa
  clear xlate
  crypto map newmap interface outside

(The above assumes the subnet behind the office PIX is 192.168.1.x)  Now send traffic between the internal LANs behind the PIXes, to re-establish the VPN tunnel.
  At this point, if you still can't telnet to or ping the inside IP of the home PIX from a host at the office, & you've already added "management-access inside" to the home PIX, please post the complete sanitized config for the office PIX (passwords removed, public IPs masked like so: x.x.x.82 or replaced with another bogus IP similar to "" above).

  Or you could just allow SSH to the outside interface of the home PIX from the IP of the office PIX; I highly suggest SSH over telnet, even via a VPN tunnel:
  access-list outside_access_in permit tcp host <office PIX public IP> interface outside eq 22
  access-group outside_access_in in interface outside
  ssh 0 0 outside
  ssh 0 0 inside <- optionally also allow from inside

  If "sh ca mypubkey rsa" displays output on a key pair, then you're done.  Otherwise, generate a key pair & save it. Note this is very CPU intensive - best done via console if possible, or wait until PDM becomes responsive again:
  pix(config)# ca generate rsa key 1536  <-- wait a while...
  pix(config)# ca save all


Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question