PIX Management via VPN not working anymore

Unanswered Question
Sep 1st, 2008
User Badges:

Hi!


I have a weird problem that began after I upgraded a PIX 515 failover pair from 7.2(2) to 8.0(3). Everything seems to work OK, except remote management via VPN-client.

I've tried telnet and https but once the management connection is established there is no data received from the firewall, hence login is not possible… I used Wireshark to verify that a connection is established but after the 3-way handshake, there is nothing except a TCP packet that seems to be out of sequence.


I can manage the firewall using a PC on the inside network but that is a somewhat troublesome workaround.


VPN-client IP: 192.168.150.0/26

Firewall inside IP: 172.31.2.254


Some lines from the configuration:


access-list nonat extended permit ip 172.31.2.0 255.255.255.0 192.168.150.0 255.255.255.0

nat (inside) 0 access-list nonat

sysopt connection permit-vpn

management-access inside

telnet 192.168.150.0 255.255.255.192 inside

route outside 192.168.150.0 255.255.255.192 x.x.x.x


Any ideas?


Regards,

Anders Fredriksson


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Mon, 09/01/2008 - 14:19
User Badges:
  • Green, 3000 points or more

For a /26 vpn pool net shouldn't nonat acl be more of:


access-list nonat extended permit ip 172.31.2.0 255.255.255.0 192.168.150.0 255.255.255.192


or perhaps /24 mask is a typo in your post?


other than this I do not see a reason what you would not be able to access firewall via vpn.. can you add above acl line and try, otherwise we'll think of something else..



Rgds

Jorge



afredriksson Mon, 09/01/2008 - 22:41
User Badges:

Actually, there are some 5505 firewalls placed at network/system administrators homes. They use subnets within the same network as VPN clients, hence the difference in masks.


The thing is that packets are allowed in both directions but “sessions” aren't, e.g. ping works from a VPN client to the inside address. Also, when I connect using telnet there is a three-way handshake. The telnet window stays empty due to a session that never disconnects nor receives any data.


singhsaju Thu, 09/04/2008 - 06:04
User Badges:
  • Silver, 250 points or more

Hello,


If ping works then it could be a fragmentation issue . Try to adjust TCP MSS value on PIX.


sysopt connection tcp-mss MSS_size_in_bytes

example : sysopt connection tcp-mss 1360


You can also find the exact size for your connection using extended ping utility from your workstation as explained in following link .


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml#Issues


HTH

Saju


Pls rate it if it helps

Actions

This Discussion