01-18-2008 11:14 AM - edited 03-11-2019 04:50 AM
Hi all,
After upgrade my PIX OS from 6.3.4 to 8.0.2 my telnet sessions from the central site to remote site (remote was updated) does not work (I'm tring to telnet inside interface from remote site). no config was changed. I searched release notes but not see anything related this.
Follow a trace
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (telnet-not-permitted) Telnet not permitted on least secure
interfa
ce
01-18-2008 11:21 AM
do you have...
management-access inside
01-18-2008 02:07 PM
Yes ! And we made an attempt to change to outside but pix returns an error message sayng that is not permited.
01-18-2008 06:56 PM
you can't telnet to the outside interface of pix/asa unless it's over a vpn tunnel.
are you telnet'ing to the inside interface over a vpn?
01-21-2008 03:22 AM
Yes, I'm using a site to site VPN and the VPN work's fine. The problem is only that I can't manage my remote pix from a central site. To do this I need to connect in a remote PC located in remote site and after that connect to my pix.
01-23-2008 10:03 PM
can you do this?
#logging on
#logging buffer information
then start the telnet session from your PC
#show log | in "IP of your PC"
post the result
01-24-2008 04:13 AM
01-24-2008 10:14 PM
Can you post more line for the "Real Scenario" ?
Real Scenario
BR013NF0001# show logging | inc 10.152.129.142
%PIX-6-302013: Built inbound TCP connection 516995 foroutside:10.152.129.142/2775 (10.152.129.142/2775) to NP Identity Ifc:10.100.238.253/23 (10.100.238.253/23)
%PIX-6-302014: Teardown TCP connection 516995 for outside:10.152.129.142/2775 to NP Identity Ifc:10.100.238.253/23 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
%PIX-6-302013: Built inbound TCP connection 516996 for outside:10.152.129.142/2775 (10.152.129.142/2775) to NP Identity Ifc:10.100.238.253/23 (10.100.238.253/23)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Lab Scenario
pixfirewall# sh log | inc 10.1.1.1
%PIX-7-609001: Built local-host NP Identity Ifc:10.1.1.1
%PIX-6-302013: Built inbound TCP connection 51 for outside:10.2.2.1/15755 (10.2.2.1/15755) to NP Identity Ifc:10.1.1.1/23 (10.1.1.1/23)
%PIX-6-302014: Teardown TCP connection 51 for outside:10.2.2.1/15755 to NP Identity Ifc:10.1.1.1/23 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
%PIX-7-609002: Teardown local-host NP Identity Ifc:10.1.1.1 duration 0:00:00
%PIX-7-609001: Built local-host NP Identity Ifc:10.1.1.1
%PIX-6-302013: Built inbound TCP connection 53 for outside:10.2.2.1/15755 (10.2.2.1/15755) to NP Identity Ifc:10.1.1.1/23 (10.1.1.1/23)
%PIX-6-605005: Login permitted from 10.2.2.1/15755 to inside:10.1.1.1/telnet for user ""
1. The first session 516995 and 51 in both scenario is same, the tcp session terminated by TCP Intercept,this indicates that a connection was created when the packet comes over a VPN tunnel.We need to figure out difference between 516996 and 53.
2. Check you allow telnet from central site
telnet 10.152.129.0 255.255.255.0 inside
or
telnet 0.0.0.0 0.0.0.0 inside
3. you can ping 10.100.238.253 from 10.152.129.142 (because you have "management-access inside")
4. on remote PIX
# clear asp drop
then restart telnet session
# show asp drop
if you see any counter other than 0, that is probably "drop-reason" why packet been dropped
# capture DROPtest type asp-drop "drop-reason"
then restart telnet session
# show capture DROPtest
01-25-2008 01:41 PM
Tks from your reply,
Yes telnet is permited from central site.
with show asp drop I see:
TCP failed 3 way handshake
and when I refine the filter with:
#capture DROPTEST type asp-drop tcp-3whs-failed, I can't see anything related with my IP address.
Now I attach a show running from remote site.
01-26-2008 10:45 AM
Hi this is too much information, I checked your L2L VPN configuration,it seems fine. Please check this,
1. Can you ping from TESTE_BR to 10.100.238.253, if not something wrong with VPN part.
2. Not sure why you have this two route point to your outside interface,it should point to 200.251.149.129,default route is good enough, you can remove these two.
route outside TESTE_BR 255.255.0.0 200.251.149.130 1
route outside 172.16.0.0 255.255.0.0 200.251.149.130 1
Because you upgrade the PIX without changing anything. this may not be related but worthy a try.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: