PIX Syslog over VPN

Discussion in 'Cisco' started by Vlad Z, Nov 2, 2005.

  1. Vlad Z

    Vlad Z Guest

    Hello everybody,
    I've run into problems setting up a syslog logging on a remote PIX-501.
    Here's the scoop - 192.168.20.0 is the Head office network,
    192.168.28.0 is connected via an IPSEC VPN. There's a UNIX box in the
    Head Office at 192.168.20.2. Workstations in the remote branch have no
    problems connecting to it and I can ping them across VPN from the UNIX
    box. However, I'm unable to reach the internal interface of the remote
    PIX at 192.168.28.1. Likewise, I can not ping the UNIX box from
    192.168.28.1 and get the error "110001: No route to 192.168.20.2 from
    192.168.28.1".
    What am I missing here?


    The PIX configuration:
    =========================headoffice================================
    PIX Version 6.3(4)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 142.XXX.XXX.46 vpn-south
    name 142.YYY.YYY.241 vpn-west
    access-list outside_access_in permit ip host vpn-south any log
    access-list outside_access_in permit ip host vpn-west any log
    access-list outside_access_in deny tcp any any log 5
    access-list 102 permit ip 192.168.20.0 255.255.255.0 192.168.27.0
    255.255.255.0
    access-list 102 permit ip 192.168.20.0 255.255.255.0 192.168.28.0
    255.255.255.0
    access-list 102 permit ip any 192.168.20.240 255.255.255.240
    access-list 102 permit ip 192.168.20.0 255.255.255.0 host vpn-west
    access-list 102 permit ip 192.168.20.0 255.255.255.0 host vpn-south
    access-list outside_cryptomap_20 permit ip 192.168.20.0 255.255.255.0
    192.168.27.0 255.255.255.0
    access-list outside_cryptomap_40 permit ip 192.168.20.0 255.255.255.0
    192.168.28.0 255.255.255.0
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside 209.ZZZ.ZZZ.14 255.255.255.0
    ip address inside 192.168.20.254 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 102
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface ssh 192.168.20.2 ssh netmask
    255.255.255.255 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 209.ZZZ.ZZZ.1 1
    timeout xlate 4:00:00
    timeout conn 0:00:00 half-closed 0:00:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set transformset1 esp-des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer vpn-south
    crypto map outside_map 20 set transform-set transformset1
    crypto map outside_map 40 ipsec-isakmp
    crypto map outside_map 40 match address outside_cryptomap_40
    crypto map outside_map 40 set peer vpn-west
    crypto map outside_map 40 set transform-set transformset1
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address vpn-south netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp key ******** address vpn-west netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption des
    isakmp policy 1 hash md5
    isakmp policy 1 group 1
    isakmp policy 1 lifetime 1000
    isakmp policy 21 authentication pre-share
    isakmp policy 21 encryption des
    isakmp policy 21 hash md5
    isakmp policy 21 group 2
    isakmp policy 21 lifetime 86400
    : end
    ===============================remote====================
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname vpn-west
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.20.0 Headoffice
    name 209.ZZZ.ZZZ.14 HO-Internet
    access-list outside_access_in permit ip host HO-Internet any
    access-list outside_access_in deny ip any any log
    access-list inside_outbound_nat0_acl permit ip 192.168.28.0
    255.255.255.0 Headoffice 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 192.168.28.0
    255.255.255.0 host HO-Internet
    access-list outside_cryptomap_20 permit ip 192.168.28.0 255.255.255.0
    Headoffice 255.255.255.0
    access-list inside_access_in permit ip 192.168.28.0 255.255.255.0
    Headoffice 255.255.255.0
    access-list inside_access_in remark Disallow all communication with the
    Internet
    access-list inside_access_in deny ip any any log
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 192.168.28.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    timeout xlate 0:05:00
    timeout conn 0:00:00 half-closed 0:00:00 udp 0:00:00 rpc 0:00:00 h225
    0:00:00
    timeout h323 0:00:00 mgcp 0:00:00 sip 0:00:00 sip_media 0:00:00
    timeout uauth 0:00:00 absolute
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer HO-Internet
    crypto map outside_map 20 set transform-set ESP-DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address HO-Internet netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    : end
     
    Vlad Z, Nov 2, 2005
    #1
    1. Advertising

  2. "Vlad Z" <> wrote in message
    news:...
    > Hello everybody,
    > I've run into problems setting up a syslog logging on a remote PIX-501.
    > Here's the scoop - 192.168.20.0 is the Head office network,
    > 192.168.28.0 is connected via an IPSEC VPN. There's a UNIX box in the
    > Head Office at 192.168.20.2. Workstations in the remote branch have no
    > problems connecting to it and I can ping them across VPN from the UNIX
    > box. However, I'm unable to reach the internal interface of the remote
    > PIX at 192.168.28.1. Likewise, I can not ping the UNIX box from
    > 192.168.28.1 and get the error "110001: No route to 192.168.20.2 from
    > 192.168.28.1".
    > What am I missing here?


    you are missing the command : management-access inside
    then "ping inside remote.syslog.i.p"
    and set the logging host to be inside aswell


    >
    >
    > The PIX configuration:
    > =========================headoffice================================
    > PIX Version 6.3(4)
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol pptp 1723
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > name 142.XXX.XXX.46 vpn-south
    > name 142.YYY.YYY.241 vpn-west
    > access-list outside_access_in permit ip host vpn-south any log
    > access-list outside_access_in permit ip host vpn-west any log
    > access-list outside_access_in deny tcp any any log 5
    > access-list 102 permit ip 192.168.20.0 255.255.255.0 192.168.27.0
    > 255.255.255.0
    > access-list 102 permit ip 192.168.20.0 255.255.255.0 192.168.28.0
    > 255.255.255.0
    > access-list 102 permit ip any 192.168.20.240 255.255.255.240
    > access-list 102 permit ip 192.168.20.0 255.255.255.0 host vpn-west
    > access-list 102 permit ip 192.168.20.0 255.255.255.0 host vpn-south
    > access-list outside_cryptomap_20 permit ip 192.168.20.0 255.255.255.0
    > 192.168.27.0 255.255.255.0
    > access-list outside_cryptomap_40 permit ip 192.168.20.0 255.255.255.0
    > 192.168.28.0 255.255.255.0
    > icmp permit any inside
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside 209.ZZZ.ZZZ.14 255.255.255.0
    > ip address inside 192.168.20.254 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list 102
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) tcp interface ssh 192.168.20.2 ssh netmask
    > 255.255.255.255 0 0
    > access-group outside_access_in in interface outside
    > route outside 0.0.0.0 0.0.0.0 209.ZZZ.ZZZ.1 1
    > timeout xlate 4:00:00
    > timeout conn 0:00:00 half-closed 0:00:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > sysopt connection permit-ipsec
    > sysopt connection permit-pptp
    > crypto ipsec transform-set transformset1 esp-des esp-md5-hmac
    > crypto map outside_map 20 ipsec-isakmp
    > crypto map outside_map 20 match address outside_cryptomap_20
    > crypto map outside_map 20 set peer vpn-south
    > crypto map outside_map 20 set transform-set transformset1
    > crypto map outside_map 40 ipsec-isakmp
    > crypto map outside_map 40 match address outside_cryptomap_40
    > crypto map outside_map 40 set peer vpn-west
    > crypto map outside_map 40 set transform-set transformset1
    > crypto map outside_map interface outside
    > isakmp enable outside
    > isakmp key ******** address vpn-south netmask 255.255.255.255 no-xauth
    > no-config-mode
    > isakmp key ******** address vpn-west netmask 255.255.255.255 no-xauth
    > no-config-mode
    > isakmp policy 1 authentication pre-share
    > isakmp policy 1 encryption des
    > isakmp policy 1 hash md5
    > isakmp policy 1 group 1
    > isakmp policy 1 lifetime 1000
    > isakmp policy 21 authentication pre-share
    > isakmp policy 21 encryption des
    > isakmp policy 21 hash md5
    > isakmp policy 21 group 2
    > isakmp policy 21 lifetime 86400
    > : end
    > ===============================remote====================
    > PIX Version 6.3(4)
    > interface ethernet0 auto
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > hostname vpn-west
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > name 192.168.20.0 Headoffice
    > name 209.ZZZ.ZZZ.14 HO-Internet
    > access-list outside_access_in permit ip host HO-Internet any
    > access-list outside_access_in deny ip any any log
    > access-list inside_outbound_nat0_acl permit ip 192.168.28.0
    > 255.255.255.0 Headoffice 255.255.255.0
    > access-list inside_outbound_nat0_acl permit ip 192.168.28.0
    > 255.255.255.0 host HO-Internet
    > access-list outside_cryptomap_20 permit ip 192.168.28.0 255.255.255.0
    > Headoffice 255.255.255.0
    > access-list inside_access_in permit ip 192.168.28.0 255.255.255.0
    > Headoffice 255.255.255.0
    > access-list inside_access_in remark Disallow all communication with the
    > Internet
    > access-list inside_access_in deny ip any any log
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside dhcp setroute
    > ip address inside 192.168.28.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list inside_outbound_nat0_acl
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > access-group outside_access_in in interface outside
    > access-group inside_access_in in interface inside
    > timeout xlate 0:05:00
    > timeout conn 0:00:00 half-closed 0:00:00 udp 0:00:00 rpc 0:00:00 h225
    > 0:00:00
    > timeout h323 0:00:00 mgcp 0:00:00 sip 0:00:00 sip_media 0:00:00
    > timeout uauth 0:00:00 absolute
    > floodguard enable
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    > crypto map outside_map 20 ipsec-isakmp
    > crypto map outside_map 20 match address outside_cryptomap_20
    > crypto map outside_map 20 set peer HO-Internet
    > crypto map outside_map 20 set transform-set ESP-DES-MD5
    > crypto map outside_map interface outside
    > isakmp enable outside
    > isakmp key ******** address HO-Internet netmask 255.255.255.255
    > no-xauth no-config-mode
    > isakmp policy 20 authentication pre-share
    > isakmp policy 20 encryption des
    > isakmp policy 20 hash md5
    > isakmp policy 20 group 2
    > isakmp policy 20 lifetime 86400
    > : end
    >
     
    Martin Bilgrav, Nov 2, 2005
    #2
    1. Advertising

  3. Vlad Z

    mcaissie Guest

    > What am I missing here?

    try adding the command

    management-access inside





    "Vlad Z" <> wrote in message
    news:...
    > Hello everybody,
    > I've run into problems setting up a syslog logging on a remote PIX-501.
    > Here's the scoop - 192.168.20.0 is the Head office network,
    > 192.168.28.0 is connected via an IPSEC VPN. There's a UNIX box in the
    > Head Office at 192.168.20.2. Workstations in the remote branch have no
    > problems connecting to it and I can ping them across VPN from the UNIX
    > box. However, I'm unable to reach the internal interface of the remote
    > PIX at 192.168.28.1. Likewise, I can not ping the UNIX box from
    > 192.168.28.1 and get the error "110001: No route to 192.168.20.2 from
    > 192.168.28.1".
    > What am I missing here?
    >
    >
    > The PIX configuration:
    > =========================headoffice================================
    > PIX Version 6.3(4)
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol pptp 1723
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > name 142.XXX.XXX.46 vpn-south
    > name 142.YYY.YYY.241 vpn-west
    > access-list outside_access_in permit ip host vpn-south any log
    > access-list outside_access_in permit ip host vpn-west any log
    > access-list outside_access_in deny tcp any any log 5
    > access-list 102 permit ip 192.168.20.0 255.255.255.0 192.168.27.0
    > 255.255.255.0
    > access-list 102 permit ip 192.168.20.0 255.255.255.0 192.168.28.0
    > 255.255.255.0
    > access-list 102 permit ip any 192.168.20.240 255.255.255.240
    > access-list 102 permit ip 192.168.20.0 255.255.255.0 host vpn-west
    > access-list 102 permit ip 192.168.20.0 255.255.255.0 host vpn-south
    > access-list outside_cryptomap_20 permit ip 192.168.20.0 255.255.255.0
    > 192.168.27.0 255.255.255.0
    > access-list outside_cryptomap_40 permit ip 192.168.20.0 255.255.255.0
    > 192.168.28.0 255.255.255.0
    > icmp permit any inside
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside 209.ZZZ.ZZZ.14 255.255.255.0
    > ip address inside 192.168.20.254 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list 102
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) tcp interface ssh 192.168.20.2 ssh netmask
    > 255.255.255.255 0 0
    > access-group outside_access_in in interface outside
    > route outside 0.0.0.0 0.0.0.0 209.ZZZ.ZZZ.1 1
    > timeout xlate 4:00:00
    > timeout conn 0:00:00 half-closed 0:00:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > sysopt connection permit-ipsec
    > sysopt connection permit-pptp
    > crypto ipsec transform-set transformset1 esp-des esp-md5-hmac
    > crypto map outside_map 20 ipsec-isakmp
    > crypto map outside_map 20 match address outside_cryptomap_20
    > crypto map outside_map 20 set peer vpn-south
    > crypto map outside_map 20 set transform-set transformset1
    > crypto map outside_map 40 ipsec-isakmp
    > crypto map outside_map 40 match address outside_cryptomap_40
    > crypto map outside_map 40 set peer vpn-west
    > crypto map outside_map 40 set transform-set transformset1
    > crypto map outside_map interface outside
    > isakmp enable outside
    > isakmp key ******** address vpn-south netmask 255.255.255.255 no-xauth
    > no-config-mode
    > isakmp key ******** address vpn-west netmask 255.255.255.255 no-xauth
    > no-config-mode
    > isakmp policy 1 authentication pre-share
    > isakmp policy 1 encryption des
    > isakmp policy 1 hash md5
    > isakmp policy 1 group 1
    > isakmp policy 1 lifetime 1000
    > isakmp policy 21 authentication pre-share
    > isakmp policy 21 encryption des
    > isakmp policy 21 hash md5
    > isakmp policy 21 group 2
    > isakmp policy 21 lifetime 86400
    > : end
    > ===============================remote====================
    > PIX Version 6.3(4)
    > interface ethernet0 auto
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > hostname vpn-west
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > name 192.168.20.0 Headoffice
    > name 209.ZZZ.ZZZ.14 HO-Internet
    > access-list outside_access_in permit ip host HO-Internet any
    > access-list outside_access_in deny ip any any log
    > access-list inside_outbound_nat0_acl permit ip 192.168.28.0
    > 255.255.255.0 Headoffice 255.255.255.0
    > access-list inside_outbound_nat0_acl permit ip 192.168.28.0
    > 255.255.255.0 host HO-Internet
    > access-list outside_cryptomap_20 permit ip 192.168.28.0 255.255.255.0
    > Headoffice 255.255.255.0
    > access-list inside_access_in permit ip 192.168.28.0 255.255.255.0
    > Headoffice 255.255.255.0
    > access-list inside_access_in remark Disallow all communication with the
    > Internet
    > access-list inside_access_in deny ip any any log
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside dhcp setroute
    > ip address inside 192.168.28.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list inside_outbound_nat0_acl
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > access-group outside_access_in in interface outside
    > access-group inside_access_in in interface inside
    > timeout xlate 0:05:00
    > timeout conn 0:00:00 half-closed 0:00:00 udp 0:00:00 rpc 0:00:00 h225
    > 0:00:00
    > timeout h323 0:00:00 mgcp 0:00:00 sip 0:00:00 sip_media 0:00:00
    > timeout uauth 0:00:00 absolute
    > floodguard enable
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    > crypto map outside_map 20 ipsec-isakmp
    > crypto map outside_map 20 match address outside_cryptomap_20
    > crypto map outside_map 20 set peer HO-Internet
    > crypto map outside_map 20 set transform-set ESP-DES-MD5
    > crypto map outside_map interface outside
    > isakmp enable outside
    > isakmp key ******** address HO-Internet netmask 255.255.255.255
    > no-xauth no-config-mode
    > isakmp policy 20 authentication pre-share
    > isakmp policy 20 encryption des
    > isakmp policy 20 hash md5
    > isakmp policy 20 group 2
    > isakmp policy 20 lifetime 86400
    > : end
    >
     
    mcaissie, Nov 2, 2005
    #3
  4. Vlad Z

    Vlad Z Guest

    Martin,
    thanks a lot for your help, it worked.
    --
    Vlad Z
     
    Vlad Z, Nov 2, 2005
    #4
  5. Vlad Z

    Vlad Z Guest

    Now, there's another problem. I've allowed ssh connections to PIX-WEST
    from Head Office by
    ssh 192.168.20.0 255.255.255.0 outside
    but can not connect.
    Now when my syslog works I can see that the access was blocked by an
    ACL, but which ACL is it?

    Nov 2 11:21:43 ho-pix Nov 02 2005 11:26:26 PIX-HEADOFFICE :
    %PIX-6-302013: Built outbound TCP connection 981 for
    outside:192.168.28.1/22 (192.168.28.1/22) to inside:192.168.20.2/36924
    (192.168.20.2/36924)
    Nov 2 11:21:43 ho-pix Nov 02 2005 11:26:26 PIX-HEADOFFICE :
    %PIX-6-302014: Teardown TCP connection 981 for outside:192.168.28.1/22
    to inside:192.168.20.2/36924 duration 0:00:00 bytes 0 TCP Reset-O
    Nov 2 11:21:43 west-router Nov 02 2005 11:22:03 PIX-WEST :
    %PIX-3-710003: TCP access denied by ACL from 192.168.20.2/36924 to
    inside:192.168.28.1/ssh
     
    Vlad Z, Nov 2, 2005
    #5
  6. "Vlad Z" <> wrote in message
    news:...
    > Now, there's another problem. I've allowed ssh connections to PIX-WEST
    > from Head Office by
    > ssh 192.168.20.0 255.255.255.0 outside
    > but can not connect.
    > Now when my syslog works I can see that the access was blocked by an
    > ACL, but which ACL is it?
    >

    No a real ACL, like the Access-list command , but the "ACL" for SSH ... 8)
    fx:
    ssh 1.2.3.4 255.255.255.255 outside
    and remember, if you use Management-access inside, that you need the inside
    instead of outside.


    > Nov 2 11:21:43 ho-pix Nov 02 2005 11:26:26 PIX-HEADOFFICE :
    > %PIX-6-302013: Built outbound TCP connection 981 for
    > outside:192.168.28.1/22 (192.168.28.1/22) to inside:192.168.20.2/36924
    > (192.168.20.2/36924)
    > Nov 2 11:21:43 ho-pix Nov 02 2005 11:26:26 PIX-HEADOFFICE :
    > %PIX-6-302014: Teardown TCP connection 981 for outside:192.168.28.1/22
    > to inside:192.168.20.2/36924 duration 0:00:00 bytes 0 TCP Reset-O
    > Nov 2 11:21:43 west-router Nov 02 2005 11:22:03 PIX-WEST :
    > %PIX-3-710003: TCP access denied by ACL from 192.168.20.2/36924 to
    > inside:192.168.28.1/ssh
    >
     
    Martin Bilgrav, Nov 2, 2005
    #6
  7. Vlad Z

    Vlad Z Guest

    Yes, it worked again, thanks Martin!
     
    Vlad Z, Nov 2, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,856
    Martin Bilgrav
    Feb 6, 2004
  2. Cen
    Replies:
    2
    Views:
    751
    Martin Bilgrav
    Oct 27, 2005
  3. Svenn
    Replies:
    3
    Views:
    750
    Svenn
    Mar 13, 2006
  4. Akut

    [PIX 501, 6.3] Syslog, VPN

    Akut, Jan 7, 2007, in forum: Cisco
    Replies:
    5
    Views:
    849
  5. Theo Markettos

    VOIP over VPN over TCP over WAP over 3G

    Theo Markettos, Feb 3, 2008, in forum: UK VOIP
    Replies:
    2
    Views:
    941
    Theo Markettos
    Feb 14, 2008
Loading...

Share This Page