PIX stop to accept Telnet after software upgrade.

Unanswered Question
Jan 18th, 2008
User Badges:

Hi all,

After upgrade my PIX OS from 6.3.4 to 8.0.2 my telnet sessions from the central site to remote site (remote was updated) does not work (I'm tring to telnet inside interface from remote site). no config was changed. I searched release notes but not see anything related this.

Follow a trace

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (telnet-not-permitted) Telnet not permitted on least secure

interfa

ce

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Fri, 01/18/2008 - 11:21
User Badges:
  • Green, 3000 points or more

do you have...


management-access inside

a.azambuja Fri, 01/18/2008 - 14:07
User Badges:

Yes ! And we made an attempt to change to outside but pix returns an error message sayng that is not permited.

srue Fri, 01/18/2008 - 18:56
User Badges:
  • Blue, 1500 points or more

you can't telnet to the outside interface of pix/asa unless it's over a vpn tunnel.


are you telnet'ing to the inside interface over a vpn?

a.azambuja Mon, 01/21/2008 - 03:22
User Badges:

Yes, I'm using a site to site VPN and the VPN work's fine. The problem is only that I can't manage my remote pix from a central site. To do this I need to connect in a remote PC located in remote site and after that connect to my pix.

pengfang Wed, 01/23/2008 - 22:03
User Badges:

can you do this?

#logging on

#logging buffer information

then start the telnet session from your PC

#show log | in "IP of your PC"


post the result

a.azambuja Thu, 01/24/2008 - 04:13
User Badges:

Tks,

Here I attach the output. Note that the first sequence was made in a real scenario and a next sequence was made in a lab environment. In a lab environment telnet works fine.


Tks,



Attachment: 
pengfang Thu, 01/24/2008 - 22:14
User Badges:

Can you post more line for the "Real Scenario" ?


Real Scenario


BR013NF0001# show logging | inc 10.152.129.142

%PIX-6-302013: Built inbound TCP connection 516995 foroutside:10.152.129.142/2775 (10.152.129.142/2775) to NP Identity Ifc:10.100.238.253/23 (10.100.238.253/23)

%PIX-6-302014: Teardown TCP connection 516995 for outside:10.152.129.142/2775 to NP Identity Ifc:10.100.238.253/23 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept

%PIX-6-302013: Built inbound TCP connection 516996 for outside:10.152.129.142/2775 (10.152.129.142/2775) to NP Identity Ifc:10.100.238.253/23 (10.100.238.253/23)


!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


Lab Scenario

pixfirewall# sh log | inc 10.1.1.1

%PIX-7-609001: Built local-host NP Identity Ifc:10.1.1.1

%PIX-6-302013: Built inbound TCP connection 51 for outside:10.2.2.1/15755 (10.2.2.1/15755) to NP Identity Ifc:10.1.1.1/23 (10.1.1.1/23)

%PIX-6-302014: Teardown TCP connection 51 for outside:10.2.2.1/15755 to NP Identity Ifc:10.1.1.1/23 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept

%PIX-7-609002: Teardown local-host NP Identity Ifc:10.1.1.1 duration 0:00:00

%PIX-7-609001: Built local-host NP Identity Ifc:10.1.1.1

%PIX-6-302013: Built inbound TCP connection 53 for outside:10.2.2.1/15755 (10.2.2.1/15755) to NP Identity Ifc:10.1.1.1/23 (10.1.1.1/23)

%PIX-6-605005: Login permitted from 10.2.2.1/15755 to inside:10.1.1.1/telnet for user ""


1. The first session 516995 and 51 in both scenario is same, the tcp session terminated by TCP Intercept,this indicates that a connection was created when the packet comes over a VPN tunnel.We need to figure out difference between 516996 and 53.

2. Check you allow telnet from central site

telnet 10.152.129.0 255.255.255.0 inside

or

telnet 0.0.0.0 0.0.0.0 inside

3. you can ping 10.100.238.253 from 10.152.129.142 (because you have "management-access inside")

4. on remote PIX

# clear asp drop

then restart telnet session

# show asp drop

if you see any counter other than 0, that is probably "drop-reason" why packet been dropped

# capture DROPtest type asp-drop "drop-reason"

then restart telnet session

# show capture DROPtest

a.azambuja Fri, 01/25/2008 - 13:41
User Badges:

Tks from your reply,

Yes telnet is permited from central site.

with show asp drop I see:

TCP failed 3 way handshake

and when I refine the filter with:

#capture DROPTEST type asp-drop tcp-3whs-failed, I can't see anything related with my IP address.

Now I attach a show running from remote site.



pengfang Sat, 01/26/2008 - 10:45
User Badges:

Hi this is too much information, I checked your L2L VPN configuration,it seems fine. Please check this,

1. Can you ping from TESTE_BR to 10.100.238.253, if not something wrong with VPN part.

2. Not sure why you have this two route point to your outside interface,it should point to 200.251.149.129,default route is good enough, you can remove these two.

route outside TESTE_BR 255.255.0.0 200.251.149.130 1

route outside 172.16.0.0 255.255.0.0 200.251.149.130 1

Because you upgrade the PIX without changing anything. this may not be related but worthy a try.

Actions

This Discussion