10-09-2006 08:42 AM
Hi,
I d like to fix an issue i ve got with my pix. With my config i m able to ping the inside pix interface through the vpn tunnel but i can t ssh or telnet it and obviously i can t get asdm with https. Here is my config:
!
interface Ethernet0
nameif outside
security-level 0
ip address <public-ip> 255.255.255.128
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.21.1 255.255.255.0
access-list http-list2 extended permit ip any any
access-list UKDEVPN extended permit ip object-group UKInside object-group DEOffice
access-list UKUKOFFICEVPN extended permit ip object-group UKInside object-group UKOffice
access-list inside_nat0_outbound extended permit ip object-group UKInside object-group DEOffice
access-list inside_nat0_outbound extended permit ip object-group UKInside object-group UKOffice
access-list inside_nat1_outbound extended permit ip object-group UKInside any
access-list inbound extended permit tcp any object-group UKOutEx eq smtp
access-list inbound extended permit tcp any object-group UKOutEx eq pop3
access-list inbound extended permit tcp any object-group UKOutEx eq https
access-list inbound extended permit tcp any object-group UKOutEx eq imap4
access-list inbound extended permit tcp any object-group UKOutEx eq ssh
access-list inbound extended permit tcp any object-group UKOutEx eq 995
access-list inbound extended permit icmp object-group PublicUKOffice object-group UKOutEx
monitor-interface outside
monitor-interface inside
icmp permit <officepublicip> 255.255.255.248 outside
icmp permit any inside
asdm image flash:/asdm-501.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 <publicip> netmask 255.255.255.128
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_nat1_outbound
static (inside,outside) <publicip> 192.168.21.10 netmask 255.255.255.255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 <internetGW>
http server enable
http <publicofficeip> outside
http 192.168.20.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 inside
i don t know why i m able to ping so the traffic is allowed and i can t ssh or telnet even if i setup the right settings as management-access inside, etc...
any help could be great.
Thanks in advance
10-13-2006 10:27 AM
Try to add following commands, it might solve your problem.
telnet
telnet timeout 5
ssh timeout 5
10-16-2006 09:05 AM
Hi,
This should help you ;
telnet
ssh
http
where Remote subnet is the subnet which on the far side of the tunnel.
and you need Managment-access inside for this to work.
10-17-2006 01:10 AM
i m srry but i ve alredy done this modifications and no luck it still doesn t work. i really don t understand
10-17-2006 07:34 AM
Hi,
I would like to know what code are you running on the PIX ?
Thanks
Kanishka
10-17-2006 08:14 AM
it is 6.3(5)
ok i think i found the solution on the logs it says traffic discarded because the host licence has exceeded.
So i will upgrade my licence ansd see if it works better
10-18-2006 01:09 AM
i can believe it my problem is solved and i spent many hours of troubleshoot. The solution was just about upgrading the host licence unbelievable.
can someone tell me how i can notify this post solved.
Thanks for your help
Alex
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide