SSH and Telnet not happening through PIX

Unanswered Question
Dec 26th, 2007

HI Friends,

Need some help. This is the scenario.

Local Machine -> Pix -> Cisco Routers farm

I'm not able to ssh and telnet my routers from behind pix. The routers are placed in the PIX outside zone. SSH and Telnet is permitted and I even enable TCP Any rule for the routers. When i tried SSH using putty i'm getting the following error. "Network error: Software caused connection abort". I'm able to ping these routers and access other applications through PIX. It was working till last week. Don't knw wat hapnd.

Also my machine is NAT ed through the PIX.

Can anyone help me in this pls..

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Wed, 12/26/2007 - 09:16

from that same machine can you test telnet from the command line e.g

telnet 22

if you get black screen means you are hiting the router going through pix outside interface, so most likely would be some settings in your putty app or the machine itself, you may want to check your rsa public-key ppk file in putty software, or try putty from another machine..

also check logs in the routers and see if anything is being denied.

Rgds

Jorge

sudeepvls Wed, 12/26/2007 - 09:24

Hi jorge,

i have already tried that, and im getting the black screen also. But when we giv an enter after that, its suddenly tearing down the connection. For example when i giv,

Tlenet 192.168.1.1 from command line , im getting only black screen. Not getting login prompt. And the session disconnects immediately.

This is what i found.

JORGE RODRIGUEZ Wed, 12/26/2007 - 09:34

yes, the telnet test is just for troubleshooting don't expect to get a login prompt, telnet test on port 22 just proves the outbound connection went through and accepted at the router end.., I don't think this could be frewall problem, you need to check on the router side or atleast try ssh client from another machine to try narrow down the problem.

sudeepvls Wed, 12/26/2007 - 09:55

Hi,

In the router i have enable both telnet and ssh. And we are able to telnet and ssh within that farm from router to router, not from behind pix. So the conf in router seems correct.

Leave ssh, now im trying to do telnet to router from behind pix. ie, like "telnet 192.168.1.1". Then i should be getting login prompt rite ?

But here also i'm getting Blank black screen. I believe u got the point now.

cisco24x7 Wed, 12/26/2007 - 10:13

do this and it will work:

on Pix:

nat (inside) 1 0 0

global (outside) 1 interface

access-list inside permit ip any any log

access-group inside in interface inside

access-list outside permit ip any any log

access-group outside in interface outside

on Router:

user cisco pass cisco

enable sec cisco

access-list 1 permit any

line vty 0 4

access-class 1 in

login local

Now try. Make sure that your "Local Machine"

has the default gateway pointing to the Pix

firewall. I also assume that both the Pix

outside interface and the router are on the

same network as well.

CCIE Security

Richard Burts Wed, 12/26/2007 - 18:34

sudeep

I am interested in your statement in the original post that it was working until last week. Am I correct in understanding that until last week you were able to telnet and SSH through the PIX to these routers and successfully establish sessions?

There are several things that occur to me that could cause these symptoms. There could be a problem in translating addresses between your machine inside and the routers outside. Is there any possibility that your machine IP address has changed? If you can ping the routers that would seem to indicate that it is probably not an issue with translation.

It might also be an issue with allowing the telnet or SSH packets through the PIX or allowing the response packets from the routers to your machine. Are there any logs on the PIX that show these packets or that show translations being set up for them? Are there any log messages or debugs on the router that could show the attempt to connect to the router - this would establish that the packets are getting through the PIX?

It might also be that there is an access class applied to the routers on the vty lines which are not permitting your connection attempts. Can you verify whether the routers are configured with access-class under the vty lines? If so can you post the config of the vty lines and of the access list?

HTH

Rick

sudeepvls Thu, 12/27/2007 - 02:44

Hi,

The translation is working fine.

Also we are not getting any logs from pix showing the ssh access from pix inside. Also i have tried telnet ans ssh from diff machines from our vlan. Its not working.

I think the pix is resetting/timing -out the session b/t router and my machine.

Conf is correct in router as we can ssh and telnet from router farm ie, from router to router.

Actions

This Discussion