cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
784
Views
0
Helpful
9
Replies

PIX stop to accept Telnet after software upgrade.

a.azambuja
Level 1
Level 1

Hi all,

After upgrade my PIX OS from 6.3.4 to 8.0.2 my telnet sessions from the central site to remote site (remote was updated) does not work (I'm tring to telnet inside interface from remote site). no config was changed. I searched release notes but not see anything related this.

Follow a trace

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (telnet-not-permitted) Telnet not permitted on least secure

interfa

ce

9 Replies 9

acomiskey
Level 10
Level 10

do you have...

management-access inside

Yes ! And we made an attempt to change to outside but pix returns an error message sayng that is not permited.

you can't telnet to the outside interface of pix/asa unless it's over a vpn tunnel.

are you telnet'ing to the inside interface over a vpn?

Yes, I'm using a site to site VPN and the VPN work's fine. The problem is only that I can't manage my remote pix from a central site. To do this I need to connect in a remote PC located in remote site and after that connect to my pix.

can you do this?

#logging on

#logging buffer information

then start the telnet session from your PC

#show log | in "IP of your PC"

post the result

Tks,

Here I attach the output. Note that the first sequence was made in a real scenario and a next sequence was made in a lab environment. In a lab environment telnet works fine.

Tks,

Can you post more line for the "Real Scenario" ?

Real Scenario

BR013NF0001# show logging | inc 10.152.129.142

%PIX-6-302013: Built inbound TCP connection 516995 foroutside:10.152.129.142/2775 (10.152.129.142/2775) to NP Identity Ifc:10.100.238.253/23 (10.100.238.253/23)

%PIX-6-302014: Teardown TCP connection 516995 for outside:10.152.129.142/2775 to NP Identity Ifc:10.100.238.253/23 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept

%PIX-6-302013: Built inbound TCP connection 516996 for outside:10.152.129.142/2775 (10.152.129.142/2775) to NP Identity Ifc:10.100.238.253/23 (10.100.238.253/23)

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Lab Scenario

pixfirewall# sh log | inc 10.1.1.1

%PIX-7-609001: Built local-host NP Identity Ifc:10.1.1.1

%PIX-6-302013: Built inbound TCP connection 51 for outside:10.2.2.1/15755 (10.2.2.1/15755) to NP Identity Ifc:10.1.1.1/23 (10.1.1.1/23)

%PIX-6-302014: Teardown TCP connection 51 for outside:10.2.2.1/15755 to NP Identity Ifc:10.1.1.1/23 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept

%PIX-7-609002: Teardown local-host NP Identity Ifc:10.1.1.1 duration 0:00:00

%PIX-7-609001: Built local-host NP Identity Ifc:10.1.1.1

%PIX-6-302013: Built inbound TCP connection 53 for outside:10.2.2.1/15755 (10.2.2.1/15755) to NP Identity Ifc:10.1.1.1/23 (10.1.1.1/23)

%PIX-6-605005: Login permitted from 10.2.2.1/15755 to inside:10.1.1.1/telnet for user ""

1. The first session 516995 and 51 in both scenario is same, the tcp session terminated by TCP Intercept,this indicates that a connection was created when the packet comes over a VPN tunnel.We need to figure out difference between 516996 and 53.

2. Check you allow telnet from central site

telnet 10.152.129.0 255.255.255.0 inside

or

telnet 0.0.0.0 0.0.0.0 inside

3. you can ping 10.100.238.253 from 10.152.129.142 (because you have "management-access inside")

4. on remote PIX

# clear asp drop

then restart telnet session

# show asp drop

if you see any counter other than 0, that is probably "drop-reason" why packet been dropped

# capture DROPtest type asp-drop "drop-reason"

then restart telnet session

# show capture DROPtest

Tks from your reply,

Yes telnet is permited from central site.

with show asp drop I see:

TCP failed 3 way handshake

and when I refine the filter with:

#capture DROPTEST type asp-drop tcp-3whs-failed, I can't see anything related with my IP address.

Now I attach a show running from remote site.

Hi this is too much information, I checked your L2L VPN configuration,it seems fine. Please check this,

1. Can you ping from TESTE_BR to 10.100.238.253, if not something wrong with VPN part.

2. Not sure why you have this two route point to your outside interface,it should point to 200.251.149.129,default route is good enough, you can remove these two.

route outside TESTE_BR 255.255.0.0 200.251.149.130 1

route outside 172.16.0.0 255.255.0.0 200.251.149.130 1

Because you upgrade the PIX without changing anything. this may not be related but worthy a try.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: