Administer Remote PIX

[reicherb]

I've got a site to site VPN connection established. The central location (where I am) has a static IP and the remote location has a dynamic IP. Every time a configuration change needs to be made at the remote site I have to drive out there and make it from there. Is there a way to enable SSH connections (or any other connection) on the inside interface to be established from the outside (across the VPN)? There must be a way to remotely administer the other end....How are you all doing it?

Thanks.

 

[ScottMac]

You can enable SSH admin from the outside. You cannot enable Telnet admin sessions from outside. The "problem" is that Cisco only supports SSH v1, which is way better than Telnet, but still not entirely secure.

If possible, it'd be better to set up a static to an SSH server on the inside, then Telnet / SSH from that machine to the PIX. That should give you a better chance at stronger security, allow the necessary admin, and not leave yourself wde open.

That's the way I have my home setup. I have a static for port 22 aimed at a Linux box (running Samba too), from that box, I can get to my PIX or any other machine on the network. So far, no problems.

Anyway, that's what works form me, YMMV.

Good Luck

Scott

 

[reicherb]

The problem is since it's got a dynamic address, it doesn't do any good to enable SSH on the outside and there are nothing but PCs on the inside that don't always stay on.