cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
453
Views
0
Helpful
7
Replies

VPN tunnel between pix6.3 and pix 7.0

fcatalao
Level 1
Level 1

i have installed a pix 7.0(1) at one of our offices and configured a site-to-site vpn tunnel to head office pix6.3(3).

the tunnel comes up fine and you can see packets being transferred through the tunnel (sh crypto ipsec sa).

i have tried and successfully tftp new image to the pix 7.0(1) and can also poll it for snmp but when i try to telnet to it i get:

"%PIX-4-402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 194.x.x.x, src_addr= 192.x.x.x, prot= tcp"

i have been looking through bug toolkit and found the following CSCei00497.

i was wondering if this could be the problem or if anyone knows of this?

thanks

FC

7 Replies 7

jackko
Level 7
Level 7

you mentioned the issue occurs when you try to telnet to the pix with v7.

just wondering from where are you trying to telnet from. from the internet? inside? remote lan via vpn? also to which interface of the pix with v7, is it inside? outside?

telneting from the pix with ver 6.3 to the outside interface from the internet. i have read somewhere that this message i get has to do with the isakmp policies not being the same on both sides but they definately are.

thanks

net1 <--> pix7 <--> internet/vpn <--> pix6 <--> net2

net2 pc tries to establish a telnet session to the pix7 outside interface? if so, you need to apply the followings on pix7, and telnet to the pix7 inside interface instead:

management-access inside

telnet inside

vpn is setup from pix6 to outside interface of pix7. it is not setup for lan to lan only for management purposes to be able to telnet into pix7 and not access net1.

thanks

telnet is not allowed on the pix outside interface, regardless it's over ipsec or not.

one way is to configure ssh by using the commands below:

hostname xxx

domain-name xxx.com.au

ca generate rsa key 1024

ca save all

ssh 255.255.255.255 outside

thanks jackko for your replies.

are you saying that telneting to outside interface is not supported anymore with pix 7.0?

i guess it may work with v7, however, you need to include the pix outside interface as part of the cyrpto acl.

i have had some issue with that solution. e.g. the lan-lan vpn wasn't a 100% lan-lan. from one site one specific hosts are included as part of the crypto acl. however, the rest of the site has access to the vpn as well. after some troubleshooting, i found that the reason being that the pix will pat all the outbound traffic and since the pix outside interface is part of the crypto acl. so the rest of the site have access to the vpn as well. it may or may not be your case.

regardless, i would suggest allowing telnet to the inside interface only, not outside.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: