Re: MARS 6.0 cant discover PIX 8.0(4)

Sergey Tregubov · ‎04-07-2010

Hello,

I've configured CS-MARS 6.0, added a lot of devices and everything works fine,

but i cant add PIX 8.0 device,

Error:

spqwn ssh -c 3des -l admin 10.*.*.*

ssh: connect to host 10.*.*.* port 22: no route to host

Error executing ssh command

PIX connected to the switch, MARS connected to the switch, too, The same vlan

PIX config:

PIX Version 8.0(4)
!
hostname test-pix
enable password ************* encrypted
passwd ************ encrypted
no names
!
interface Ethernet0
nameif management
security-level 100
ip address 10.*.*.* 255.255.255.0
!
interface Ethernet1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone MSK 3
access-list permit_ssh extended permit tcp host 10.*.*.* any eq ssh log
access-list permit_tcp extended permit tcp host 10.*.*.* any
pager lines 24
logging enable
logging trap notifications
logging host management 10.*.*.*

mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-613.bin
no asdm history enable
arp timeout 14400
access-group permit_tcp in interface management
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
snmp-server host management 10.*.*.* community ****
no snmp-server location
no snmp-server contact
snmp-server community ****

snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.*.*.* 255.255.255.0 management
ssh 10.*.*.* 255.255.255.255 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password ********** encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c61a9083378da448280284a603b1bfe0
: end
test-pix#

Could anyone help, please?

Thank you

Mykola Srebnyuk · ‎04-07-2010

Config of MARS in studio!!!!

Ping successfull?

Please some attention to SSH configuration in PIX.

Sergey Tregubov · ‎04-07-2010

I cant ping from mars pix, and vice versa.

I've attached pix configuration on mars, ssh config on the mars

On the pix i created rsa 1024 bit, cause mars do not accept rsa lower than 1024, as i understood from the literature

Jennifer Halim · ‎04-07-2010

If you can't ping the MARS from the PIX and vice versa, it is more L1/L2/L3 issue. Are you sure it is connected to the same VLAN in the switch? What is the ip address of MARS, and the PIX management interface? Also, make sure the ip address is not duplicate.

Sergey Tregubov · ‎04-07-2010

They are not duplicated

mars - 10.11.0.6/24

pix - 10.11.0.23/24

the same vlan

I think the problem with CBAC on PIX, or with ACL, may be i need to allow icmp packets ?

Mykola Srebnyuk · ‎04-08-2010

Try login to Cisco MARS into CLI

&

try to login to PIX by SSH.

Config of PIX is seamed correct.

Configure switch with IP address in same vlan as PIX and MARS and try ping switch from mars and switch from PIX