12-15-2012 12:53 AM
I have a pix 501 at a remote site. This is not a vpn, its a secured network across a trusted LAN. every thing works fine appart from SSH access to the firewall.
debug ssh show s the following:
no translation group found for tcp source 10.4.4.34/1727 dst inside:10.70.128.1/22
the inside subnet is 10.70.128.0/26
the inside interface address is 10.70.128.1
im using the no nat statement:
nat (inside) 0 0.0.0.0 0.0.0.0
SSH statements:
ssh 10.4.4.34 255.255.255.255 inside
management-access inside
Any ideas why I can access the firewall.
Solved! Go to Solution.
12-16-2012 10:16 AM
Hello Michal,
Commands seems to be correct.
If address 10.4.1.32 is on the inside, you should be able to access PIX, from it.
If this address belongs to outside network (and you are using outside/inside security levels as per best practices - inside > outside) you will not be able to access PIX inside interface. You can access PIX inside interface from outside, only going through the tunnel.
Hope it helps.
Best Regards,
Eugene
12-15-2012 01:05 AM
Hi Michael,
management-access inside
In PIX Firewall software Version 6.3, this command is supported for the following through an IPSec VPN tunnel only, and only one management interface can be defined globally:
Please refer to this command reference:
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1137951
Please rate helpful posts :)
Best Regards,
Eugene
12-16-2012 10:06 AM
Hi Eugene
Thanks for the reply. ive been trying to reconfigure the firewall but im still getting the same translation error?
ive set up a lab using a copy of the firewall config but with the following ssh config:
username networks password password
aaa authentication ssh console TACACS+ LOCAL
domain-name domain.local
ssh 10.4.1.32 255.255.255.255 inside
ca gen rsa key 1024
is this config correct
12-16-2012 10:16 AM
Hello Michal,
Commands seems to be correct.
If address 10.4.1.32 is on the inside, you should be able to access PIX, from it.
If this address belongs to outside network (and you are using outside/inside security levels as per best practices - inside > outside) you will not be able to access PIX inside interface. You can access PIX inside interface from outside, only going through the tunnel.
Hope it helps.
Best Regards,
Eugene
12-16-2012 10:23 AM
Fantastic Eugene!!
ive added ssh 10.4.1.32 255.255.255.255 outside
i can now remote to the outside to get access.
thanks a lot for your help
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: