Remote management

[yizhar]

HI.

I will need to support and manage a PIX 506 ver 6.01 over the Internet.
The PIX has DES activation key.
The PIX will participate in a site to site IPSec VPN with another PIX, but I would need to be able to gain access to the PIX directly and not from the VPN tunnel.

I will need CLI access, so PDM would be nice for monitoring, but not enough.

I have not much field experience with remote management of PIX.

What is your recommended technique to use?
SSH?
IPSec + telnet?
Other?
Any tips, warnings?
Recommended client?

Thanks
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[xlee]

You can use SSH. I've never used it before.

I've configured a static mapping to a device such as a switch or router on the inside. Then telnet to switch or router and from there, telnet into the PIX inside.

For security, on my access-list or conduit statements, I only permit a specific subnet or IP address. Also, on the PIX, I only allow telnet from that specific router or switch.

 

[berford]

If you don't want the management traffic to go through a VPN tunnel you will need to use SSH. The PIX implementation is v1.5. Make sure your implementation can do v1 and has patches for v1.5. Look at the TeraTerm and (I think) Van Dyke products. Some new SSH products just assume everyone moved to v2.0 (but you can find v1.0 compatibility buried in their menus.).

You probably will need to do a IPsec VPN tunnel. For remote management that is the only sensible way of getting logs back to a central server.

If you didn't need CLI access, PDM would work via SSL.

Another method is via the console port and a modem. It's tricky because the console port needs a specially pinned cable to talk to a modem (routers solve this with an Aux port so check how that is pinned and work backward.).

Liberty for All,

Brian