Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
713
Views
5
Helpful
4
Replies

SSH not connecting to remote

Go to solution
mickyq
Level 1
Level 1

‎12-15-2012 12:53 AM

I have a pix 501 at a remote site. This is not a vpn, its a secured network across a trusted LAN. every thing works fine appart from SSH access to the firewall.

debug ssh show s the following:

no translation group found for tcp source 10.4.4.34/1727 dst inside:10.70.128.1/22

the inside subnet is 10.70.128.0/26

the inside interface address is 10.70.128.1

im using the no nat statement:

nat (inside) 0 0.0.0.0 0.0.0.0

SSH statements:

ssh 10.4.4.34 255.255.255.255 inside

management-access inside

Any ideas why I can access the firewall.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Eugene Korneychuk
Cisco Employee
Cisco Employee
In response to mickyq

‎12-16-2012 10:16 AM

Hello Michal,

Commands seems to be correct.

If address 10.4.1.32 is on the inside, you should be able to access PIX, from it.

If this address belongs to outside network (and you are using outside/inside security levels as per best practices - inside > outside) you will not be able to access PIX inside interface. You can access PIX inside interface from outside, only going through the tunnel.

Hope it helps.

Best Regards,

Eugene

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Eugene Korneychuk
Cisco Employee
Cisco Employee

‎12-15-2012 01:05 AM

Hi Michael,

management-access inside

In PIX Firewall software Version 6.3, this command  is supported for the  following through an IPSec VPN tunnel only, and  only one management  interface can be defined globally:

Please refer to this command reference:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1137951

Please rate helpful posts :)

Best Regards,

Eugene

Go to solution
mickyq
Level 1
Level 1
In response to Eugene Korneychuk

‎12-16-2012 10:06 AM

Hi Eugene

Thanks for the reply. ive been trying to reconfigure the firewall but im still getting the same translation error?

ive set up a lab using a copy of the firewall config but with the following ssh config:

username networks password password

aaa authentication ssh console TACACS+ LOCAL

domain-name domain.local

ssh 10.4.1.32 255.255.255.255 inside

ca gen rsa key 1024

is this config correct

0 Helpful

Go to solution
Eugene Korneychuk
Cisco Employee
Cisco Employee
In response to mickyq

‎12-16-2012 10:16 AM

Hello Michal,

Commands seems to be correct.

If address 10.4.1.32 is on the inside, you should be able to access PIX, from it.

If this address belongs to outside network (and you are using outside/inside security levels as per best practices - inside > outside) you will not be able to access PIX inside interface. You can access PIX inside interface from outside, only going through the tunnel.

Hope it helps.

Best Regards,

Eugene

0 Helpful

Go to solution
mickyq
Level 1
Level 1
In response to Eugene Korneychuk

‎12-16-2012 10:23 AM

Fantastic Eugene!!

ive added ssh 10.4.1.32 255.255.255.255 outside

i can now remote to the outside to get access.

thanks a lot for your help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents