Solved: ssh through Pix to 6500 - Page 3

Bruce Summers · ‎02-14-2010

I didnt really know how to describe the subject, so here goes.

Using a 6513 to originate SSH connection to a 6509 through a Pix 535. that is what I'm attempting to do.

On Pix, 3 interfaces, outside sec level 0 192.168.15.11 /27, inside sec level 100, 192.168.15.33 /24, and a 3rd interface to be used for "mgmt" sec level 10, 10.10.10.1 /24.

On 6509, 2 physical interfaces 192.168.15.35 /24 and 10.10.10.2 /24.

from the 6513, I can ping to the 6509, thorugh the pix to both destinations.

However, from the 6513 I can only ssh to the 192.168.15.36 address.

I have noted, the following when pinging, using the sho conn on the pix

ping to 192.168.15.35

ICMP outside 192.168.15.10:152 Inside 192.168.15.35:0, idle 0:00:00, bytes 67608
ICMP outside 192.168.15.10:152 Inside 192.168.15.35:0, idle 0:00:00, bytes 67608

ping to 10.10.10.2

ICMP outside 192.168.15.10:153 Inside 10.10.10.2:0, idle 0:00:00, bytes 42336
ICMP outside 192.168.15.10:153 Jump_Mgmt 10.10.10.2:0, idle 0:00:00, bytes 42408

It appears the return traffic is coming back from the 6509 via the default route 0.0.0.0 0.0.0.0 192.168.15.33 RATHER than the connected route between the 2 10.10.10.0 /24 interfaces. I see a TCP deny on the inside interface coming from the 6509 (10.10.10.2) which seems would make sense since the traffic didnt originate through the inside interface enroute to the 6509...

i'm not sure how to over come this...

any help would be appreciated...

bruce

Jon Marshall · ‎02-14-2010

bruce.summers wrote:

You're a genius!!!!

it worked....that is pretty awesome...

I could replace, in the acl, the "host 10.10.10.2" with the entire /24 subnet, i would think...

thanks

Bruce

Glad you got it working and yes you could use the entire subnet in the PNAT acl if you want to.

Jon

Bruce Summers · ‎02-14-2010

thanks for the ideas/specifics and mostly the patience...

It is great when I'm able to confer with guys like you and KS on an issue..

couldnt have done it without ya...

thanks again.

bruce

Bruce Summers · ‎02-14-2010

hmmm...now that i look/think about that, that isnt going to work either...its going to nat anything

coming in.....

Kureli Sankar · ‎02-14-2010

Thanks Jon. Wow ! 25 responses since I last wrote on this thread.

So you all decided to go with outside poicy nat instead of route-map.

That is fine. But why do you think that this is going to nat everything? You tied an ACL to the nat so, only the traffic that matches the ACL will be translated.

Just let us know how things go.

-KS

Bruce Summers · ‎02-15-2010

Hi KS,

Naw, Jon got me straight on the policy nat...just my inexperience with it is why i thought that it would nat everything...nice piece of learning on my part

it is now working...thanks for your posts

did you get the points I submitted...I wasnt sure if i could assign points to both you and Jon...

bruce

Kureli Sankar · ‎02-15-2010

Sure did. Thanks for rating.

Glad it is working.

-KS

Bruce Summers · ‎02-14-2010

yes, 10.10.10.2 is a vlan interface...

i tried the config that kusankar provided, and it didnt work...

I'll try the local option...

bruce