Issues remotely managing Pix 501

Rex Biesty — Mon, 11 Mar 2019 18:10:24 GMT

Hi. I'm having issues trying to manage a Pix 501 remotely on one of our satellite sites. I can connect to it locally using ssh client (putty) and PDM but neither work from outside (Internet Explorer cannot display the webpage - via PDM). As far as I can tell it's configured the same as my other satellite sites and I can manage them fine remotely. Any help would be greatly appreciated.

Thanks Rex

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password hVVg7CLUwzxPAzq2 encrypted
passwd hVVg7CLUwzxPAzq2 encrypted
hostname PartickPix
domain-name Partick
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.16.0.0 Opps_LAN
access-list inside_outbound_nat0_acl permit ip 192.168.11.0 255.255.255.0 Opps_LAN 255.255.0.0
access-list outside_cryptomap_20 permit ip 192.168.11.0 255.255.255.0 Opps_LAN 255.255.0.0
pager lines 24
logging on
logging trap debugging
logging host inside 192.168.11.17
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.248
ip address inside 192.168.11.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Opps_LAN 255.255.0.0 outside
pdm location 192.168.11.17 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.xxx.xxx
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key xxxxxxxx address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp keepalive 10
isakmp nat-traversal 10
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.11.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.11.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.11.11-192.168.11.33 inside
dhcpd dns 172.16.1.9 194.72.9.34
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username RBiesty password mzMgn1DtloK0/v6C encrypted privilege 15
terminal width 80

Re: Issues remotely managing Pix 501

Nagaraja Thanthry — Mon, 12 Jul 2010 13:29:49 GMT

Hello,

Are you trying to access the outside IP address or the inside IP address? If you are trying to access the outside IP, then you need to include your public IP address in the allowed list (for HTTP/telnet/ssh). If you are trying to access the inside interface IP, then I think you might be missing a command:

management-access inside

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1137951

Executing the above command should resolve your issue.

Hope this helps.

Regards,

Re: Issues remotely managing Pix 501

Rex Biesty — Mon, 12 Jul 2010 13:45:32 GMT

Thanks for the reply. It's the outside IP I'm trying to access. I thought I'd allowed PDM from outside via this command

http 0.0.0.0 0.0.0.0 outside

Is that correct? Sorry if not but not sure what you mean by including the Pix's public IP in the allowed list.

Re: Issues remotely managing Pix 501

Nagaraja Thanthry — Mon, 12 Jul 2010 15:16:28 GMT

Hello,

Sorry I missed that line :). I do not see any issues with your configuration

as such. Can you ping the outside IP? (You might have to add a rule to allow

ICMP temporarily on the outside interface). Do you get any error messages

when you try to SSH to the box?

Regards,

topic Re: Issues remotely managing Pix 501 in Network Security

Issues remotely managing Pix 501

Re: Issues remotely managing Pix 501

Re: Issues remotely managing Pix 501

Re: Issues remotely managing Pix 501