Re: SSH/IPSec to PIX

From: Xuan.Sun@Seagate.com
Date: Mon Jun 14 2004 - 20:07:26 GMT-3

Hi Mas

I have tried to tunnel the telnet session to PIX using VPN client 4.x

I have inserted the secured host route for the outside interface in PIX to
the VPN client (using the split-tunnel you have mentioned). But I still do
not enable to telnet to the outside interface of the PIX from the VPN
client.

Anything I missed ?

I tried Koen's way. It works well. His solution does not require the secure
host route of the outside interface in the vpn client site since it uses
the inside interface as the destination of the telnet session from outside.

Regards

                                                                                                                                       
                      "910T"
                      <910t@cox.net> To: "Koen Peetermans" <K.Peetermans@chello.be>, "'Kareem Boules'"
                      Sent by: <kareem@synergyct.com>, <ccielab@groupstudy.com>
                      nobody@groupstudy cc: <security@groupstudy.com>
                      .com Subject: Re: SSH/IPSec to PIX
                      No Phone Info
                      Available
                                                                                                                                       
                      06/13/2004 01:35
                      PM
                      Please respond to
                      "910T"
                                                                                                                                       
                                                                                                                                       

Hello Koen,

Not to imply you had anything to do with the design decision, but this is
progress?

Bravo for the VPN 3005, but I'm dealing with PIXes and already installing 3
to 5 secure routes internal to the PIXes into the client--what's one more?

Anyway, the workaround to allow 4.x clients the same access to PIXes as 3.x
clients is to add the outside interface of the PIX to the split-tunnel ACL
(permitting access from the outside interface IP to the VPN pool). This
installs the host route into the 4.x client once and installs it into the
3.x client twice (two entries). ASW (another stupid workaround).

Regards,

Mas Kato
https://ecardfile.com/id/mkato

----- Original Message -----
From: "Koen Peetermans" <K.Peetermans@chello.be>
To: "'P729'" <p729@cox.net>; "'910T'" <910t@cox.net>; "'Kareem Boules'"
<kareem@synergyct.com>; <ccielab@groupstudy.com>
Cc: <security@groupstudy.com>
Sent: Sunday, June 13, 2004 3:04 AM
Subject: RE: SSH/IPSec to PIX

> Hi,
>
> This is "normal" since the 4.0 client will never install an IPSEC sa for
the
> public IP addresses. I think this is done to lower memory requirements on
> the Easy VPN Server. For example, the VPN 3005 will allow 200 sessions
> instead of 100 sessions with the latest version and 4.0 clients
connecting
> to it.
>
> You could work with the "management-access inside" command and connect to
> the internal IP address. Don't forget the "HTTP x.x.x.x inside" command
to
> make it work.
>
> Kind regards,
>
> Koen.
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
P729
> Sent: zondag 13 juni 2004 10:23
> To: 910T; Kareem Boules; ccielab@groupstudy.com
> Cc: security@groupstudy.com
> Subject: Re: SSH/IPSec to PIX
>
> Sorry if I mislead anyone (I really need to read more carefully). I was
> talking about VPNing to the PIX with the 4.x client and then _Telneting_
to
> that PIX's outside interface through the tunnel, not SSH (why use SSH if
you
> already have a secure channel?). The problem remains the secure host
route
> to the PIX outside interface is not installed into the 4.x client as it
is
> with the 3.x client.
>
> Regards,
>
> Mas Kato
> https://ecardfile.com/id/mkato
>
> ----- Original Message -----
> From: "910T" <910t@cox.net>
> To: "Kareem Boules" <kareem@synergyct.com>; <ccielab@groupstudy.com>
> Cc: <security@groupstudy.com>
> Sent: Saturday, June 12, 2004 9:13 AM
> Subject: Re: SSH/IPSec to PIX
>
>
> > I'm also dealing with this very issue at the moment. For some reason,
the
> > secured host route to the outside interface of the PIX stopped being
> > installed with the 4.x version of the client as it was with the 3.x
client
> > (look at your statistics under Route Details). I installed the 3.6
client
> > into a Virtual PC and it works fine with the same PIX configurations.
I'm
> > doing split-tunneling--perhaps there's a workaround by fiddling with
the
> > split-tunnel ACL. We'll see...
> >
> > Regards,
> >
> > Mas Kato
> > https://ecardfile.com/id/mkato
> >
> > ----- Original Message -----
> > From: "Kareem Boules" <kareem@synergyct.com>
> > To: <ccielab@groupstudy.com>
> > Cc: <security@groupstudy.com>
> > Sent: Saturday, June 12, 2004 11:13 AM
> > Subject: SSH/IPSec to PIX
> >
> >
> > > Hey fellows,
> > >
> > > I wonder if someone can help with this scenario:
> > > When I establish an IPSec tunnel between my SW Client (ver. 4) and
PIX
> > > (6.3), then I try to SSH to the PIX, it doesnt work. I tried out lots
of
> > > things, but the only workaround I could do is to, first, telnet to an
> > inside
> > > host, then SSH to the PIX from that host.
> > > Any advice?
> > >
> > > Kareem
> >
> > _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:40 GMT-3