IPsec client connection

mark.j.hodge · ‎01-30-2008

I have setup a IPsec VPN Client connection to a PIX515 Firewall pair. It works as expected in most respects, I can gain access to all devices on the internel network, except the active firewall. I can ping the inside address, but not telnet,ssh or asdm.

The PIX is running 8.0(3) software, I have checked the nat0 access list and it looks fine. I have confirmed that "management-access inside" has been configured.

When I try and connect (ssh) I get the following error messages (sanitised), but cannot find any information on NP Identity.

Jan 30 2008 16:46:16: %PIX-6-302013: Built inbound TCP connection 760 for outside:10.20.1.226/2800 (10.20.1.226/2800) to NP Identity Ifc:10.20.1.253/22 (10.20.1.253/22) (userid)

Jan 30 2008 16:46:16: %PIX-6-302014: Teardown TCP connection 760 for outside:10.20.1.226/2800 to NP Identity Ifc:10.20.1.253/22 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept (userid)

Jan 30 2008 16:46:16: %PIX-6-302013: Built inbound TCP connection 761 for outside:10.20.1.226/2800 (10.20.1.226/2800) to NP Identity Ifc:10.20.1.253/22 (10.20.1.253/22) (userid)

10.20.1.226 is the pool allocated VPN address.

10.20.1.253 is the inside address of the firewall.

I have recently setup a very similar configuration, on an ASA device, running the same software versions and it works fine.

Suggestions appreciated.

JORGE RODRIGUEZ · ‎01-30-2008

Hi Mark, Â¨

try adding statement

management-access inside

it should provide for firewall management over IPsec tunnel, see if that helps.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/m.html#wp1863771

Rgds

Jorge

Jorge Rodriguez

mark.j.hodge · ‎01-30-2008

Jorge,

statement is already there..

Mark

mark.j.hodge · ‎01-30-2008

I tried removing it, and the behaviour changes slightly, without the management-access statement the ssh session closes immediately, with it the session hangs.