Cannot manage remote pix through vpn tunnel

Posted on 2006-05-02
Last Modified: 2013-12-03
I have a vpn tunnel from the pix 501(static ip) at my main office and the pix 501(dynamic ip) at my house.
 I configured the tunnel just as this cisco article says:

Here is the dynamic pix config:

IX Version 6.3(5)                  
interface ethernet0 100full                          
interface ethernet1 100full                          
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password msagqD6P encrypted                                          
passwd msagqD6P encrypted                                
hostname Pix                
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol pptp 1723                        
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp                    
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
access-list inside_access_in permit tcp any any                                              
access-list inside_access_in permit udp any any                                              
access-list inside_access_in permit icmp any any                                                
access-list inside_access_in permit ip any any                                              
access-list outside_access_in permit icmp any any echo-reply                                                            
access-list 101 permit ip                                                                            
pager lines 24              
mtu outside 1500                
mtu inside 1500              
ip address outside dhcp setroute                                
ip address inside                                          
ip audit info action alarm                          
ip audit attack action alarm                            
pdm location inside                                                
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 0 access-list 101                              
nat (inside) 1 0 0                                  
access-group outside_access_in in interface outside                                                  
access-group inside_access_in in interface inside                                                
route inside 1                                                    
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10                                                          
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout sip-disconnect 0:02:00 sip-invite 0:03:00                                                
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ deadtime 10                              
aaa-server RADIUS protocol radius                                
aaa-server RADIUS max-failed-attempts 3                                      
aaa-server RADIUS deadtime 10                            
aaa-server LOCAL protocol local                              
http server enable                                                          
http inside                                    
no snmp-server location                      
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
crypto ipsec transform-set myset esp-des esp-md5-hmac                                                    
crypto map newmap 10 ipsec-isakmp                                
crypto map newmap 10 match address 101                                      
crypto map newmap 10 set peer                                          
crypto map newmap 10 set transform-set myset                                            
crypto map newmap interface outside                                  
isakmp enable outside                    
isakmp key ******** address netmask
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
telnet inside
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd dns
dhcpd wins
dhcpd lease 99999
dhcpd ping_timeout 750
dhcpd domain domain.local
dhcpd enable inside
terminal width 80
: end

The tunnel works great except for the fact that I cannot remotely manage either pix with telnet ot http while at the other site.

Is there a way to configure this to work?
Question by:hindsight
    LVL 20

    Expert Comment

    Just add this to your the config(s):
      management-access inside

    Assuming you don't have an IP conflicts - ie, home LAN IP range doesn't overlap w/ inside LAN behind PIX you'll be set.

    LVL 20

    Expert Comment

    NOTE: the above command is a new feature in PIX 6.3 series.
    LVL 32

    Expert Comment

    I'm not quite sure if it will allow to manage the PIX through remote VPN, but Calivinetter knows better. Other option is to first connect through VPN then RDP into a machine inside the other network. Then, telnet back to PIX from that machine and it should let you do it.

    LVL 20

    Expert Comment

    Yes I'm quite sure Rajesh!  ;)  It works.

    LVL 32

    Expert Comment

    Perfect, then there goes the solution to the problem.

    LVL 1

    Author Comment

    Tried the command but it didnt seem to work.

     RDP is already what I am using. Actually another workaround I came up with is to go into pix device manager at the main site to find out what the current IP at my house is, then remote into the WAN side of the remote pix. (I made a policy to allow the IP at my main office to access the pix through http on the public side)

    Only problem with that is the remote config (from cisco) causes a "unsupported command" problem with pix device manager (something to do with access list 101 not being bound to the outside interface) and I cant use it to edit the config normally. Though I am able to use the command line option from device manager.

    Mainly I'd just like to be able to connect to it in one step by just telnetting from the main office in one step
    LVL 20

    Accepted Solution

    >Tried the command but it didnt seem to work.
      Did you run the command on the PIX that you're trying to get to (PIX at your house)?  It works, with a properly configured VPN.  

      You really should have a separate ACL for matching the site-to-site traffic, on both PIXes; run this on the home PIX (yes, the ACL below should be identical to your ACL 101); also remove the redundant ACL on the inside of the PIX:
      no access-group inside_access_in in interface inside
      access-list site_acl permit ip
      crypto map newmap 10 match address site_acl
      clear cry isa sa
      clear cry ips sa
      clear xlate
      crypto map newmap interface outside

    (The above assumes the subnet behind the office PIX is 192.168.1.x)  Now send traffic between the internal LANs behind the PIXes, to re-establish the VPN tunnel.
      At this point, if you still can't telnet to or ping the inside IP of the home PIX from a host at the office, & you've already added "management-access inside" to the home PIX, please post the complete sanitized config for the office PIX (passwords removed, public IPs masked like so: x.x.x.82 or replaced with another bogus IP similar to "" above).

      Or you could just allow SSH to the outside interface of the home PIX from the IP of the office PIX; I highly suggest SSH over telnet, even via a VPN tunnel:
      access-list outside_access_in permit tcp host <office PIX public IP> interface outside eq 22
      access-group outside_access_in in interface outside
      ssh 0 0 outside
      ssh 0 0 inside <- optionally also allow from inside

      If "sh ca mypubkey rsa" displays output on a key pair, then you're done.  Otherwise, generate a key pair & save it. Note this is very CPU intensive - best done via console if possible, or wait until PDM becomes responsive again:
      pix(config)# ca generate rsa key 1536  <-- wait a while...
      pix(config)# ca save all


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
    One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now