Adsl router and pix firewall

Guys,
please forgive me if this question is already asked, if yes plz point me to the answer.

ok here goes

(Internet)
|
|
(Adsl router)
|
|
|
(PIX 515)


Awrite now the story, i have 1MB connection to the internet, and as u can c its a adsl connection.
On the Outside interface of the Adsl router I have the Public IP address

The Inside interface of the (ADSL Router) and the Outside interface of the Pix are in the same subnet and have local IPs

Now I want to ssh into my pix frm my home computer.

is it possible.

The adsl router has a port forward option in which i tried to forward the ssh port and point it to the pix.
but doesnt work

Moreover I have a dynamic address.
Now second question

If in case i have the same scenario, dats with a dynamic ip in two places, is there an option where i can have a ipsec vpn tunnel.
Thank you,

George

First of all, welcome to firewall.cx.

I'll answer your questions as far I'm able to.

Just to clarify things:
1. the setup you have laid out above is not your home setup
2. Your home computer will be coming in from the internet side of the above setup.
3. Also the Public IP on the external interface of the ADSL router is a static IP.
4. Your home connection uses a dynamic IP.

If all the above are correct, you will need to do the following:

1. Forward port 22 (or whatever port you use for ssh) on your ADSL router. (I note that you've done this)
2. This is where we may need some help. Firewalls which support ssh access may not allow it on the public (or any interface) without first setting up some access controls. In addition, some of them may use non-standard port numbers for direct ssh access. Could someone who is more clued up on PIXs please chip in on this point?
3. With regards to your home connection using a dynamic IP, this is only an issue if you are using IP address-based access controls on either your router or firewall. There is really no way round it if either of the devices do not support host-name based access. If they do you could use www.dyndns.org to automatically update dynamic IP changes.

As for your second question, a dynamic IP from the "client" end of the VPN only matters if IP address-based access is being used on the "target" end of the VPN. The trickier problem is if the "target" end of the VPN has a dynamic IP, as if your VPN client only allows you to enter IP addresses and not host names, you will have to find out the target IP address and type it in each time you want to make a VPN connection.

Hi,
Thank you for the reply and also for making me feel at home.

as far as ur clarifications

1. yes its not my home connection, its my office setup
2. yes my home computer will be coming in frm the internet side.
3. NOOOO - My external ip address on the adsl router aint a static address but a dynamic one.
4. Yes my home connection has a dynamic ip

In the pix i have allowed connections for ssh from the whole subnet on which my home internet is connected. I guess thats the only way.

"3. With regards to your home connection using a dynamic IP, this is only an issue if you are using IP address-based access controls on either your router or firewall."

the pix requires to be told from where the ssh connection would come. so if i wana manage it from my home computer, i have to, before leavin for office specify my home computer's ip address on the pix. I have got over this temporarily by allowing the whole subnet of my home internet connection.

My second question of having a vpn between 2 places with a dynamic ip address, from your reply i gather i can use dynamic dns and specify the name on both the ends right?

sometimes my ideas are pretty stupid, but they do work often. please tellme right on my face if my idea for the dynamic address is stupid

WHAT IVE ALREADY DONE
1) ive forwarded port 22
2) ive instructed the pix to allow ssh connection frm my home machine, ive even gone upto the extent of making a person sit in my office and he has given my exact ip address on the ssh config on the pix.
3) The person sitting in the office gives me the dynamic ip of the adsl router which i specify in my ssh client (putty)
4) i am thinking that ive mapped 22 to go to the outside interface of the pix and hence it should work

but it still doesnt work, have i missed something here?

thanx again

Thanks for your detailed response, georgejason.

I'm now quite clear on your setup, but I just want to clarify my point on dynamic dns. I mentioned in my original reponse that dynamic dns will only be of use to you if your VPN client and VPN server allow you you to specify hostnames instead of IP addresses. I haven't yet seen any that allow hostnames, but that's not to say they don't exist.

With regards to ssh access to your PIX, have you generated an RSA public/private key pair on your PIX? This step is required in addition to setting up a telnet password as well as the access controls you've already set up. Look here for details.

Hiiiii Dalight

I Really appreciate your quick response, The pix firewall does allow me to specify hostname instead of the ip address. Now the question is how do I enable dynamic dns on a interface of my Pix firewall? Is it possible or am i understanding things wrong?

Thanx 1ce again
George

The pix firewall does allow me to specify hostname instead of the ip address.

This means that you will be able to put in a hostname that represents your home computer. In that case you will need to run a dynamic dns client on your home computer which will keep its hostname updated with the latest IP address. You can use DynDNS or ZoneEdit or No-IP for Dynamic DNS services.

That sorts out the problem with a dynamic IP address for your home computer. To sort out the reverse problem(i.e. dynamic IP address for your work setup), you will need to set up an updating dynamic dns client at the work end. The best place to do it is in your ADSL router as most ADSL routers now have built in dynamic dns clients for the popular services like DynDNS.com. You could also do this on your home setup as well if your home adsl router has this functionality.