Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
465
Views
0
Helpful
6
Replies

Cannot ping or telnet internal PIX 501 Interface

Go to solution
shaw.chris
Level 1
Level 1

‎05-29-2008 10:30 AM - edited ‎03-11-2019 05:52 AM

Hi,

I have a VPN link from a PIX501 at our remote office to a ASA5510 at our main office.

Remote Office 192.168.3.0/24, Main Office 10.0.0.0/24.

A client on the 10.0.0.0/24 network cannot ping, http or telnet the PIX501 internal interface 192.168.3.1 although can connect to clients OK e.g. 192.168.3.2.

The PIX config is below can anyone spot what is causing this, Thanks in advance.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxx encrypted

passwd Xxxxxxx encrypted

hostname xxxxxxxx

domain-name xxxxxx.com

clock timezone LINT 14

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 10.0.0.0 OfficeHQ

access-list inside_nat0_outbound permit ip 192.168.3.0 255.255.255.0 OfficeHQ 255.255.255.0

access-list outside_cryptomap_60 permit ip 192.168.3.0 255.255.255.0 OfficeHQ 255.255.255.0

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x 255.255.255.248

ip address inside 192.168.3.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location OfficeHQ 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.3.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 60 ipsec-isakmp

crypto map outside_map 60 match address outside_cryptomap_60

crypto map outside_map 60 set peer x.x.x.x

crypto map outside_map 60 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet 192.168.3.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.3.2-192.168.3.10 inside

dhcpd dns 10.0.0.243 4.2.2.2

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain xxxxxxxxxxx

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxxxxxxxxx

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
srue
Level 7
Level 7

‎05-29-2008 10:44 AM

that's an older OS than what i'm used to, is the command "management-access inside" supported?

View solution in original post

0 Helpful
6 Replies 6

Go to solution
srue
Level 7
Level 7

‎05-29-2008 10:44 AM

that's an older OS than what i'm used to, is the command "management-access inside" supported?

0 Helpful

Go to solution
shaw.chris
Level 1
Level 1
In response to srue

‎05-29-2008 11:41 AM

No, I cannot enter that command I'm afraid

0 Helpful

Go to solution
srue
Level 7
Level 7
In response to shaw.chris

‎05-29-2008 12:01 PM

6.2(2) is fairly old. i would recommend either upgrading the code or appliance (with an asa5505).

as far as your problem goes, try configuring ssh on the external itnerface if they need to access it remotely.

http://www.cisco.com/en/US/docs/security/pix/pix62/configuration/guide/sysmgmt.html

0 Helpful

Go to solution
shaw.chris
Level 1
Level 1
In response to srue

‎05-30-2008 04:00 AM

Thanks for your help, the ssh access worked,

I have updated the PIX to 6.3(5) and issued the management-access inside command but still cannot get in for some reason.

0 Helpful

Go to solution
srue
Level 7
Level 7
In response to shaw.chris

‎05-30-2008 04:09 AM

since you just did a major OS upgrade on it, can you repost the config?

0 Helpful

Go to solution
shaw.chris
Level 1
Level 1
In response to srue

‎06-02-2008 08:20 AM

The "management-access inside" command did actually do the trick, Thanks for your help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card