Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
450
Views
0
Helpful
1
Replies

PIX, external telnet, what am I missing?

dsingleterry
Level 1
Level 1

‎01-20-2003 01:12 PM - edited ‎02-20-2020 10:30 PM

Ive got two PIX's telnetting to each other fine, but my third PIX that I just placed, I cant get to. Here's my configs:

(515e at location A, can telnet to an existing 501e (location B) without problems, but not to the newly placed 501e in location C)

515e config:

PIX 6.2(2) (515e)

access-list acl_outbound permit ip host 192.168.50.10 any

access-list acl_outbound permit ip host 192.168.50.75 any

access-list acl_outbound permit ip host 192.168.50.201 any

access-list acl_outbound permit ip host 192.168.50.202 any

access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq smtp

access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq pop3

access-list acl_inbound permit tcp any host 64.53.71.7 eq 3389

access-list acl_inbound permit icmp any any

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host 65.40.81.11

access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.52.0 255.255.255.0

icmp permit any outside

icmp permit any inside

ip address outside pppoe setroute

ip address inside 192.168.50.1 255.255.255.0

global (outside) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 192.168.50.0 255.255.255.0 0 0

static (inside,outside) tcp x.x.71.7 3389 192.168.50.75 3389 netmask 255.255.255.255 0 0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside

sysopt connection permit-ipsec

no sysopt route dnat

telnet x.x.71.8 255.255.255.255 outside

telnet 192.168.51.0 255.255.255.0 outside

telnet 192.168.52.0 255.255.255.0 outside

telnet x.x.81.11 255.255.255.255 outside

telnet 192.168.50.201 255.255.255.255 inside

telnet 192.168.50.202 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname *******

vpdn group pppoex ppp authentication pap

vpdn username ********** password *********

terminal width 80

Cryptochecksum:649c671fefa5ad2ee0709ea1aa24faea

: end

(501e at location C, cannot telnet to 515e, and 515e cannot telnet to this 501e)

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 host x.x.71.7

access-list inside_nat0_outbound permit ip host x.x.81.11 192.168.50.0 255.255.255.0

access-list acl_outbound permit ip 192.168.52.0 255.255.255.0 any

access-list acl_inbound permit ip host x.x.71.7 any

interface ethernet0 10baset

interface ethernet1 10full

ip address outside x.x.81.11 255.255.255.128

ip address inside 192.168.52.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 192.168.52.0 255.255.255.0 0 0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside

sysopt connection permit-ipsec

no sysopt route dnat

telnet 192.168.50.0 255.255.255.0 outside

telnet 64.53.71.7 255.255.255.255 outside

telnet 192.168.50.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:f4e78a76793783478f6e56f567e1f9cd

: end

Am I just overlooking something here? I tried to compare the existing 501e config thats working with the new one and havent seen a difference.

Thanks,

Dave

0 Helpful
1 Reply 1

dsingleterry
Level 1
Level 1

‎01-20-2003 02:17 PM

ok, i just saw this in the documentation:

If you are trying to telnet to the outside interface, it is only allowed through an IPSec tunnel or Secure Shell (SSH) connection. The syntax is: telnet {ip address of machine on outside interface} 255.255.255.255 outside x, where x is any additional commands to form the IPSec or SSH tunnel.

So I need to setup VPN first, so here's my current VPN config, the complication is this is my first multiple VPN setup. the 515e at the main office is VPN'd to a different 501 as well as me attempting to VPN this one to it as well.

515e:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

names

name x.x.71.8 ConstOffice

access-list acl_outbound permit ip host 192.168.50.10 any

access-list acl_outbound permit ip host 192.168.50.75 any

access-list acl_outbound permit ip host 192.168.50.201 any

access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq smtp

access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq pop3

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.51

.0 255.255.255.0

access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.51.0 255.255.

255.0

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host Const

Office

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.52

.0 255.255.255.0

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.53

.0 255.255.255.0

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host 65.40

.81.11

access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 192.168.50

.0 255.255.255.0

access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.52.0 255.255.

255.0

access-list inside_nat0_outbound permit ip host x.x.81.11 192.168.50.0 255.255

.255.0

access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

icmp permit any outside

icmp permit any inside

ip address outside pppoe setroute

ip address inside 192.168.50.1 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

global (outside) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 192.168.50.0 255.255.255.0 0 0

static (inside,outside) tcp x.x.71.7 3389 192.168.50.75 3389 netmask 255.255.2

55.255 0 0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address inside_nat0_outbound

crypto map vpn1 10 set pfs group2

crypto map vpn1 10 set peer ConstOffice

crypto map vpn1 10 set transform-set myset

crypto map vpn1 20 ipsec-isakmp

crypto map vpn1 20 match address 101

crypto map vpn1 20 set pfs group2

crypto map vpn1 20 set peer x.x.81.11

crypto map vpn1 20 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address ConstOffice netmask 255.255.255.255

isakmp key ******** address x.x.81.11 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

telnet ConstOffice 255.255.255.255 outside

telnet 192.168.51.0 255.255.255.0 outside

telnet 192.168.52.0 255.255.255.0 outside

telnet x.x.81.11 255.255.255.255 outside

telnet 192.168.50.201 255.255.255.255 inside

telnet 192.168.50.202 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

terminal width 80

501e:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 host x.x.71.7

access-list inside_nat0_outbound permit ip host x.x.81.11 192.168.50.0 255.255

.255.0

access-list acl_outbound permit ip 192.168.52.0 255.255.255.0 any

access-list acl_inbound permit ip host x.x.71.7 any

interface ethernet0 10baset

interface ethernet1 10full

ip address outside x.x.81.11 255.0.0.0

ip address inside 192.168.52.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.52.0 255.255.255.0 0 0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 9 ipsec-isakmp

crypto map vpn1 9 match address inside_nat0_outbound

crypto map vpn1 9 set pfs group2

crypto map vpn1 9 set peer x.x.71.7

crypto map vpn1 9 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address x.x.81.11 netmask 255.255.255.255

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption des

isakmp policy 9 hash sha

isakmp policy 9 group 1

isakmp policy 9 lifetime 86400

telnet 192.168.50.0 255.255.255.0 outside

telnet x.x.71.7 255.255.255.255 outside

telnet 192.168.50.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:f4e78a76793783478f6e56f567e1f9cd

: end

So I must be missing something to get multiple VPN's up,

My debug info from the 515 is as follows:

ISAKMP (0): beginning Quick Mode exchange, M-ID of 299217336:11d5b1b8

crypto_isakmp_process_block: src x.x.81.11, dest x.x.71.7

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 299217336

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 28800

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-SHA

ISAKMP: group is 2

ISAKMP (0): atts are acceptable.

ISAKMP: IPSec policy invalidated proposal

ISAKMP (0): SA not acceptable!

ISAKMP (0): sending NOTIFY message 14 protocol 3

return status is IKMP_ERR_NO_RETRANS

crypto_isakmp_process_block: src x.x.81.11, dest x.x.71.7

ISAKMP (0): processing DELETE payload. message ID = 2059037963

ISAKMP (0): deleting SA: src x.x.71.7, dst x.x.81.11

return status is IKMP_NO_ERR_NO_TRANS

ISADB: reaper checking SA 0x813d3688, conn_id = 0

ISADB: reaper checking SA 0x813d65c8, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:x.x.81.11 Ref cnt decremented to:0 Total VPN Peers:2

VPN Peer: ISAKMP: Deleted peer: ip:x.x.81.11 Total VPN peers:1

ISADB: reaper checking SA 0x813d3688, conn_id = 0

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card