Cannot SSH to pix 501 outside interface while using EasyVPN in network-extension-mode

I have several pix 501's connected to a 3005 concentrator, setup with
the following config. I cannot get management access to the outside
interface using SSH or HTTPS. I am trying to access from my home
cable modem, I can successfully SSH the router that is in front of the
PIX. All Internet traffic from behind the pix 501 needs to continue
to go through the VPN tunnel for filtering. Everything currently
works the way I need it to, I cannot manage the outside interface.
Any help would be appreciated.

interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname fw-PIX501
clock timezone est -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
logging on
logging trap debugging
logging host inside 192.168.20.2
mtu outside 1500
mtu inside 1500
ip address outside "PUBLICADDRESS" 255.255.255.255
ip address inside 192.168.20.1 255.255.255.0
ip audit name ids_outside_attack attack action alarm
ip audit name ids_outside_info info action alarm
ip audit interface outside ids_outside_info
ip audit interface outside ids_outside_attack
ip audit info action alarm drop reset
ip audit attack action alarm reset
ip audit signature 1000 disable
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2002 disable
ip audit signature 2003 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip audit signature 2006 disable
ip audit signature 2007 disable
ip audit signature 2150 disable
pdm location 192.168.20.2 255.255.255.255 inside
pdm location "cablemodemIP" 255.255.255.240 outside
pdm logging debugging 512
pdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 Public IP 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 192.5.41.209 source outside prefer
http server enable
http "MY PUBLIC IP" 255.255.255.240 outside
http 192.168.20.0 255.255.255.0 inside
floodguard enable
telnet 192.168.20.0 255.255.255.0 inside
telnet timeout 5
ssh "MY PUBLIC IP" 255.255.255.240 outside
ssh 192.168.20.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpnclient server "Concentrator PUBLIC IP"
vpnclient mode network-extension-mode
vpnclient vpngroup ****** password *******
vpnclient username ****** password *******
vpnclient enable


HERE IS THE ACCESS-LIST

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max
256)
alert-interval 300
access-list _vpnc_acl; 3 elements
access-list _vpnc_acl line 1 permit ip 192.168.20.0 255.255.255.0 any
access-list _vpnc_acl line 2 permit ip host "pixpublicip" any
access-list _vpnc_acl line 3 permit ip host "PIXPUBLICIP" host
"Concentrator IP"

 

On Mon, 23 Aug 2004 16:02:51 -0500, Squigs wrote:

> I have several pix 501's connected to a 3005 concentrator, setup with
> the following config. I cannot get management access to the outside
> interface using SSH or HTTPS. I am trying to access from my home cable
> modem, I can successfully SSH the router that is in front of the PIX.
> All Internet traffic from behind the pix 501 needs to continue to go
> through the VPN tunnel for filtering. Everything currently works the
> way I need it to, I cannot manage the outside interface. Any help would
> be appreciated.
>
> interface ethernet0 10baset
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> hostname fw-PIX501
> clock timezone est -5
> clock summer-time EDT recurring
> fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup
> protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> pager lines 24
> logging on
> logging trap debugging
> logging host inside 192.168.20.2
> mtu outside 1500
> mtu inside 1500
> ip address outside "PUBLICADDRESS" 255.255.255.255 ip address inside
> 192.168.20.1 255.255.255.0 ip audit name ids_outside_attack attack
> action alarm ip audit name ids_outside_info info action alarm ip audit
> interface outside ids_outside_info ip audit interface outside
> ids_outside_attack ip audit info action alarm drop reset ip audit attack
> action alarm reset
> ip audit signature 1000 disable
> ip audit signature 2000 disable
> ip audit signature 2001 disable
> ip audit signature 2002 disable
> ip audit signature 2003 disable
> ip audit signature 2004 disable
> ip audit signature 2005 disable
> ip audit signature 2006 disable
> ip audit signature 2007 disable
> ip audit signature 2150 disable
> pdm location 192.168.20.2 255.255.255.255 inside pdm location
> "cablemodemIP" 255.255.255.240 outside pdm logging debugging 512 pdm
> history enable
> arp timeout 14400
> route outside 0.0.0.0 0.0.0.0 Public IP 1 timeout xlate 3:00:00 timeout
> conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout
> uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> ntp server 192.5.41.209 source outside prefer http server enable http
> "MY PUBLIC IP" 255.255.255.240 outside http 192.168.20.0 255.255.255.0
> inside floodguard enable telnet 192.168.20.0 255.255.255.0 inside telnet
> timeout 5 ssh "MY PUBLIC IP" 255.255.255.240 outside ssh 192.168.20.0
> 255.255.255.0 inside ssh timeout 5
> management-access inside
> console timeout 0
> vpnclient server "Concentrator PUBLIC IP" vpnclient mode
> network-extension-mode vpnclient vpngroup ****** password *******
> vpnclient username ****** password ******* vpnclient enable
>
>
> HERE IS THE ACCESS-LIST
>
> access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
> alert-interval 300
> access-list _vpnc_acl; 3 elements
> access-list _vpnc_acl line 1 permit ip 192.168.20.0 255.255.255.0 any
> access-list _vpnc_acl line 2 permit ip host "pixpublicip" any
> access-list _vpnc_acl line 3 permit ip host "PIXPUBLICIP" host
> "Concentrator IP"


If you are not doing split tunneling, then it will not be possible
(doesn't look like you are). Check the group config on the concentrator
to enable it.

Rik

 

"Squigs" <> wrote in message
news:...
> I have several pix 501's connected to a 3005 concentrator, setup with
> the following config. I cannot get management access to the outside
> interface using SSH or HTTPS. I am trying to access from my home
> cable modem, I can successfully SSH the router that is in front of the
> PIX. All Internet traffic from behind the pix 501 needs to continue
> to go through the VPN tunnel for filtering. Everything currently
> works the way I need it to, I cannot manage the outside interface.
> Any help would be appreciated.

> management-access inside


since you allready have this, just point to the inside IP, instead.
That way it is all secured in the tunnel aswell.

Just point the services to inside:
http someIP 255.255.255.0 inside
ssh someIP 255.255.255.0 inside
pdm location someIP 255.255.255.255 inside

Also you can do this with AAA, syslog, telnet etc.

HTH
Martin Bilgrav

 

Thanks for the feedback. I need to have all traffic (including
internet) to go through the VPN tunnel because I have web filtering at
Headquarters (compliance reasons). I must have "tunnel everything"
checked on the concentrator. I have found myself in the situtuation
where a config was made on a pix 501 (while onsite) that was not
written to memory (totally my fault). The power went out a couple
weeks late, the 501 reboots to the original config. Then I spend the
next day driving for 8 hours. Is there another way to divert all
Internet traffic throught the VPN tunnel without having the "tunnel
everything" checked?