PIX 515:: ping works, ssh doesnt

Discussion in 'Cisco' started by slackware8, Jun 15, 2007.

  1. slackware8

    slackware8

    Joined:
    Jun 15, 2007
    Messages:
    2
    Hi

    I have Problem with pix 515, and i hope you could help me!

    ping from outside to a machine inside the DMZ is working, but to try to ssh it doesnt work!!

    i hope you can find it in this config.


    **********



    PIX Version 7.0(4)
    !
    hostname PIX
    enable password xxxxxxx.xMpQ encrypted
    names
    !
    interface Ethernet0
    nameif outside
    security-level 0
    ip address xx.xx.xx.126 255.255.255.240
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 10.7.140.1 255.255.255.0
    !
    interface Ethernet2
    nameif dmz
    security-level 50
    ip address 10.7.141.1 255.255.255.0
    !
    interface Ethernet3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet4
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet5
    shutdown
    no nameif
    no security-level
    no ip address
    !
    passwd xxxxx encrypted
    ftp mode passive
    clock timezone 1 1

    access-list outside-acl extended permit icmp any any
    access-list outside-acl extended permit gre any any
    access-list outside-acl extended permit tcp any eq pptp any
    access-list outside-acl extended permit tcp any any eq pptp
    access-list outside-acl extended permit tcp any host xx.xx.xx.126 eq www
    access-list outside-acl extended permit tcp any host xx.xx.xx.126 eq ftp
    access-list outside-acl extended permit tcp any host xx.xx.xx.126 eq ssh

    access-list vpn_abax extended permit ip 10.7.140.0 255.255.255.0 10.7.0.0 255.255.128.0
    access-list vpn_abax extended permit ip 10.7.141.0 255.255.255.0 10.7.0.0 255.255.128.0
    access-list dmz-acl extended permit icmp any any
    access-list dmz-acl extended permit ip 10.7.141.0 255.255.255.0 any
    access-list dmz-acl extended permit ip host 10.7.141.250 host 10.7.141.250
    access-list dmz-acl extended deny ip 10.7.141.0 255.255.255.0 10.0.0.0 255.0.0.0

    access-list outside_access_in extended permit tcp any any eq pptp
    access-list outside_access_in extended permit gre any any
    access-list outside_access_in extended permit gre any host xx.xx.xx.126
    access-list outside_access_in extended permit gre any host xx.xx.xx.127
    access-list 101 extended permit tcp any host xx.xx.xx.126
    access-list 101 extended permit gre any host xx.xx.xx.126
    access-list nonat extended permit ip 10.7.140.0 255.255.255.0 10.7.0.0 255.255.128.0
    access-list nonat extended permit ip 10.7.141.0 255.255.255.0 10.7.0.0 255.255.128.0

    pager lines 24
    logging enable
    logging timestamp
    logging buffer-size 10000
    logging console emergencies
    logging buffered debugging
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip local pool vpnclient 10.7.140.101-10.7.140.120
    ip audit info action alarm reset
    ip audit attack action alarm reset
    no failover
    no asdm history enable
    arp timeout 14400


    global (outside) 1 xx.xx.xx.127
    global (dmz) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 10.7.140.0 255.255.255.0
    nat (dmz) 0 access-list nonat
    nat (dmz) 1 10.7.141.0 255.255.255.0
    static (dmz,outside) 10.7.141.250 xx.xx.xx.126 netmask 255.255.255.255
    access-group dmz-acl in interface dmz

    route outside 0.0.0.0 0.0.0.0 xx.xx.xx.126 1

    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    group-policy tsg internal
    group-policy tsg attributes
    vpn-idle-timeout 30

    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart

    isakmp identity address
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption aes-256
    isakmp policy 10 hash sha
    isakmp policy 10 group 5
    isakmp policy 10 lifetime 86400
    isakmp policy 50 authentication pre-share
    isakmp policy 50 encryption 3des
    isakmp policy 50 hash sha
    isakmp policy 50 group 2
    isakmp policy 50 lifetime 86400
    tunnel-group tsg type ipsec-ra
    tunnel-group tsg general-attributes
    address-pool vpnclient
    default-group-policy tsg
    tunnel-group tsg ipsec-attributes
    pre-shared-key *


    telnet 10.7.140.0 255.255.255.0 inside
    telnet 10.7.0.0 255.255.128.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    management-access inside
    dhcpd address 10.7.140.20-10.7.140.100 inside
    dhcpd address 10.7.141.100-10.7.141.150 dmz
    dhcpd dns xx.xx.xx.xx xx.xx.xx.xx
    dhcpd lease 5000
    dhcpd ping_timeout 750
    dhcpd enable inside
    dhcpd enable dmz
    !
    class-map class_ftp
    match port tcp eq ssh
    class-map inspection_default
    match default-inspection-traffic
    class-map pptp-port
    match port tcp eq pptp
    !
    !
    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 1024
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect icmp
    inspect pptp
    class class_ftp
    inspect ftp
    policy-map pptp_policy
    class pptp-port
    inspect pptp
    !
    service-policy global_policy global
    service-policy pptp_policy interface outside
    ntp server xx.xx.xx.xx

    Cryptochecksum:sadasfdafxxxxxx20455
    : end
    [OK]
    PIX(config)#


    **************
    many thanks
    slackware8, Jun 15, 2007
    #1
    1. Advertising

  2. slackware8

    slackware8

    Joined:
    Jun 15, 2007
    Messages:
    2
    any help please ?
    slackware8, Jun 16, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bill Friedman

    issues with ssh on pix 515 6.3(3)?

    Bill Friedman, Nov 12, 2003, in forum: Cisco
    Replies:
    0
    Views:
    422
    Bill Friedman
    Nov 12, 2003
  2. scada

    Pix 515 and ssh proxy

    scada, Jan 28, 2004, in forum: Cisco
    Replies:
    2
    Views:
    559
    scada
    Jan 30, 2004
  3. scada
    Replies:
    1
    Views:
    4,287
    Walter Roberson
    Feb 24, 2004
  4. Scott Townsend
    Replies:
    8
    Views:
    694
    Roman Nakhmanson
    Feb 22, 2006
  5. dann
    Replies:
    6
    Views:
    773
Loading...

Share This Page