Cannot SSH to pix 501 outside interface while using EasyVPN in network-extension-mode

Discussion in 'Cisco' started by Squigs, Aug 23, 2004.

  1. Squigs

    Squigs Guest

    I have several pix 501's connected to a 3005 concentrator, setup with
    the following config. I cannot get management access to the outside
    interface using SSH or HTTPS. I am trying to access from my home
    cable modem, I can successfully SSH the router that is in front of the
    PIX. All Internet traffic from behind the pix 501 needs to continue
    to go through the VPN tunnel for filtering. Everything currently
    works the way I need it to, I cannot manage the outside interface.
    Any help would be appreciated.

    interface ethernet0 10baset
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname fw-PIX501
    clock timezone est -5
    clock summer-time EDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    pager lines 24
    logging on
    logging trap debugging
    logging host inside 192.168.20.2
    mtu outside 1500
    mtu inside 1500
    ip address outside "PUBLICADDRESS" 255.255.255.255
    ip address inside 192.168.20.1 255.255.255.0
    ip audit name ids_outside_attack attack action alarm
    ip audit name ids_outside_info info action alarm
    ip audit interface outside ids_outside_info
    ip audit interface outside ids_outside_attack
    ip audit info action alarm drop reset
    ip audit attack action alarm reset
    ip audit signature 1000 disable
    ip audit signature 2000 disable
    ip audit signature 2001 disable
    ip audit signature 2002 disable
    ip audit signature 2003 disable
    ip audit signature 2004 disable
    ip audit signature 2005 disable
    ip audit signature 2006 disable
    ip audit signature 2007 disable
    ip audit signature 2150 disable
    pdm location 192.168.20.2 255.255.255.255 inside
    pdm location "cablemodemIP" 255.255.255.240 outside
    pdm logging debugging 512
    pdm history enable
    arp timeout 14400
    route outside 0.0.0.0 0.0.0.0 Public IP 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    ntp server 192.5.41.209 source outside prefer
    http server enable
    http "MY PUBLIC IP" 255.255.255.240 outside
    http 192.168.20.0 255.255.255.0 inside
    floodguard enable
    telnet 192.168.20.0 255.255.255.0 inside
    telnet timeout 5
    ssh "MY PUBLIC IP" 255.255.255.240 outside
    ssh 192.168.20.0 255.255.255.0 inside
    ssh timeout 5
    management-access inside
    console timeout 0
    vpnclient server "Concentrator PUBLIC IP"
    vpnclient mode network-extension-mode
    vpnclient vpngroup ****** password *******
    vpnclient username ****** password *******
    vpnclient enable


    HERE IS THE ACCESS-LIST

    access-list cached ACL log flows: total 0, denied 0 (deny-flow-max
    256)
    alert-interval 300
    access-list _vpnc_acl; 3 elements
    access-list _vpnc_acl line 1 permit ip 192.168.20.0 255.255.255.0 any
    access-list _vpnc_acl line 2 permit ip host "pixpublicip" any
    access-list _vpnc_acl line 3 permit ip host "PIXPUBLICIP" host
    "Concentrator IP"
     
    Squigs, Aug 23, 2004
    #1
    1. Advertising

  2. Squigs

    Rik Bain Guest

    On Mon, 23 Aug 2004 16:02:51 -0500, Squigs wrote:

    > I have several pix 501's connected to a 3005 concentrator, setup with
    > the following config. I cannot get management access to the outside
    > interface using SSH or HTTPS. I am trying to access from my home cable
    > modem, I can successfully SSH the router that is in front of the PIX.
    > All Internet traffic from behind the pix 501 needs to continue to go
    > through the VPN tunnel for filtering. Everything currently works the
    > way I need it to, I cannot manage the outside interface. Any help would
    > be appreciated.
    >
    > interface ethernet0 10baset
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > hostname fw-PIX501
    > clock timezone est -5
    > clock summer-time EDT recurring
    > fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup
    > protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > pager lines 24
    > logging on
    > logging trap debugging
    > logging host inside 192.168.20.2
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside "PUBLICADDRESS" 255.255.255.255 ip address inside
    > 192.168.20.1 255.255.255.0 ip audit name ids_outside_attack attack
    > action alarm ip audit name ids_outside_info info action alarm ip audit
    > interface outside ids_outside_info ip audit interface outside
    > ids_outside_attack ip audit info action alarm drop reset ip audit attack
    > action alarm reset
    > ip audit signature 1000 disable
    > ip audit signature 2000 disable
    > ip audit signature 2001 disable
    > ip audit signature 2002 disable
    > ip audit signature 2003 disable
    > ip audit signature 2004 disable
    > ip audit signature 2005 disable
    > ip audit signature 2006 disable
    > ip audit signature 2007 disable
    > ip audit signature 2150 disable
    > pdm location 192.168.20.2 255.255.255.255 inside pdm location
    > "cablemodemIP" 255.255.255.240 outside pdm logging debugging 512 pdm
    > history enable
    > arp timeout 14400
    > route outside 0.0.0.0 0.0.0.0 Public IP 1 timeout xlate 3:00:00 timeout
    > conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout
    > uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > ntp server 192.5.41.209 source outside prefer http server enable http
    > "MY PUBLIC IP" 255.255.255.240 outside http 192.168.20.0 255.255.255.0
    > inside floodguard enable telnet 192.168.20.0 255.255.255.0 inside telnet
    > timeout 5 ssh "MY PUBLIC IP" 255.255.255.240 outside ssh 192.168.20.0
    > 255.255.255.0 inside ssh timeout 5
    > management-access inside
    > console timeout 0
    > vpnclient server "Concentrator PUBLIC IP" vpnclient mode
    > network-extension-mode vpnclient vpngroup ****** password *******
    > vpnclient username ****** password ******* vpnclient enable
    >
    >
    > HERE IS THE ACCESS-LIST
    >
    > access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
    > alert-interval 300
    > access-list _vpnc_acl; 3 elements
    > access-list _vpnc_acl line 1 permit ip 192.168.20.0 255.255.255.0 any
    > access-list _vpnc_acl line 2 permit ip host "pixpublicip" any
    > access-list _vpnc_acl line 3 permit ip host "PIXPUBLICIP" host
    > "Concentrator IP"



    If you are not doing split tunneling, then it will not be possible
    (doesn't look like you are). Check the group config on the concentrator
    to enable it.

    Rik
     
    Rik Bain, Aug 24, 2004
    #2
    1. Advertising

  3. "Squigs" <> wrote in message
    news:...
    > I have several pix 501's connected to a 3005 concentrator, setup with
    > the following config. I cannot get management access to the outside
    > interface using SSH or HTTPS. I am trying to access from my home
    > cable modem, I can successfully SSH the router that is in front of the
    > PIX. All Internet traffic from behind the pix 501 needs to continue
    > to go through the VPN tunnel for filtering. Everything currently
    > works the way I need it to, I cannot manage the outside interface.
    > Any help would be appreciated.


    > management-access inside



    since you allready have this, just point to the inside IP, instead.
    That way it is all secured in the tunnel aswell.

    Just point the services to inside:
    http someIP 255.255.255.0 inside
    ssh someIP 255.255.255.0 inside
    pdm location someIP 255.255.255.255 inside

    Also you can do this with AAA, syslog, telnet etc.

    HTH
    Martin Bilgrav
     
    Martin Bilgrav, Aug 24, 2004
    #3
  4. Squigs

    Squigs Guest

    Thanks for the feedback. I need to have all traffic (including
    internet) to go through the VPN tunnel because I have web filtering at
    Headquarters (compliance reasons). I must have "tunnel everything"
    checked on the concentrator. I have found myself in the situtuation
    where a config was made on a pix 501 (while onsite) that was not
    written to memory (totally my fault). The power went out a couple
    weeks late, the 501 reboots to the original config. Then I spend the
    next day driving for 8 hours. Is there another way to divert all
    Internet traffic throught the VPN tunnel without having the "tunnel
    everything" checked?
     
    Squigs, Aug 24, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. no-one
    Replies:
    0
    Views:
    1,636
    no-one
    Jul 28, 2004
  2. Ants
    Replies:
    5
    Views:
    7,120
    Martin Bilgrav
    Oct 15, 2004
  3. marti314
    Replies:
    1
    Views:
    2,139
    Walter Roberson
    Aug 5, 2005
  4. Jack
    Replies:
    0
    Views:
    724
  5. Hunv
    Replies:
    0
    Views:
    998
Loading...

Share This Page