Cannot SSH to pix 501 outside interface while using EasyVPN in network-extension-mode

Discussion in 'Cisco' started by Squigs, Aug 23, 2004.

  1. Squigs

    Squigs Guest

    I have several pix 501's connected to a 3005 concentrator, setup with
    the following config. I cannot get management access to the outside
    interface using SSH or HTTPS. I am trying to access from my home
    cable modem, I can successfully SSH the router that is in front of the
    PIX. All Internet traffic from behind the pix 501 needs to continue
    to go through the VPN tunnel for filtering. Everything currently
    works the way I need it to, I cannot manage the outside interface.
    Any help would be appreciated.

    interface ethernet0 10baset
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname fw-PIX501
    clock timezone est -5
    clock summer-time EDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    pager lines 24
    logging on
    logging trap debugging
    logging host inside 192.168.20.2
    mtu outside 1500
    mtu inside 1500
    ip address outside "PUBLICADDRESS" 255.255.255.255
    ip address inside 192.168.20.1 255.255.255.0
    ip audit name ids_outside_attack attack action alarm
    ip audit name ids_outside_info info action alarm
    ip audit interface outside ids_outside_info
    ip audit interface outside ids_outside_attack
    ip audit info action alarm drop reset
    ip audit attack action alarm reset
    ip audit signature 1000 disable
    ip audit signature 2000 disable
    ip audit signature 2001 disable
    ip audit signature 2002 disable
    ip audit signature 2003 disable
    ip audit signature 2004 disable
    ip audit signature 2005 disable
    ip audit signature 2006 disable
    ip audit signature 2007 disable
    ip audit signature 2150 disable
    pdm location 192.168.20.2 255.255.255.255 inside
    pdm location "cablemodemIP" 255.255.255.240 outside
    pdm logging debugging 512
    pdm history enable
    arp timeout 14400
    route outside 0.0.0.0 0.0.0.0 Public IP 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    ntp server 192.5.41.209 source outside prefer
    http server enable
    http "MY PUBLIC IP" 255.255.255.240 outside
    http 192.168.20.0 255.255.255.0 inside
    floodguard enable
    telnet 192.168.20.0 255.255.255.0 inside
    telnet timeout 5
    ssh "MY PUBLIC IP" 255.255.255.240 outside
    ssh 192.168.20.0 255.255.255.0 inside
    ssh timeout 5
    management-access inside
    console timeout 0
    vpnclient server "Concentrator PUBLIC IP"
    vpnclient mode network-extension-mode
    vpnclient vpngroup ****** password *******
    vpnclient username ****** password *******
    vpnclient enable


    HERE IS THE ACCESS-LIST

    access-list cached ACL log flows: total 0, denied 0 (deny-flow-max
    256)
    alert-interval 300
    access-list _vpnc_acl; 3 elements
    access-list _vpnc_acl line 1 permit ip 192.168.20.0 255.255.255.0 any
    access-list _vpnc_acl line 2 permit ip host "pixpublicip" any
    access-list _vpnc_acl line 3 permit ip host "PIXPUBLICIP" host
    "Concentrator IP"
     
    Squigs, Aug 23, 2004
    #1
    1. Advertisements

  2. Squigs

    Rik Bain Guest


    If you are not doing split tunneling, then it will not be possible
    (doesn't look like you are). Check the group config on the concentrator
    to enable it.

    Rik
     
    Rik Bain, Aug 24, 2004
    #2
    1. Advertisements


  3. since you allready have this, just point to the inside IP, instead.
    That way it is all secured in the tunnel aswell.

    Just point the services to inside:
    http someIP 255.255.255.0 inside
    ssh someIP 255.255.255.0 inside
    pdm location someIP 255.255.255.255 inside

    Also you can do this with AAA, syslog, telnet etc.

    HTH
    Martin Bilgrav
     
    Martin Bilgrav, Aug 24, 2004
    #3
  4. Squigs

    Squigs Guest

    Thanks for the feedback. I need to have all traffic (including
    internet) to go through the VPN tunnel because I have web filtering at
    Headquarters (compliance reasons). I must have "tunnel everything"
    checked on the concentrator. I have found myself in the situtuation
    where a config was made on a pix 501 (while onsite) that was not
    written to memory (totally my fault). The power went out a couple
    weeks late, the 501 reboots to the original config. Then I spend the
    next day driving for 8 hours. Is there another way to divert all
    Internet traffic throught the VPN tunnel without having the "tunnel
    everything" checked?
     
    Squigs, Aug 24, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.