09-01-2008 12:54 AM - edited 03-11-2019 06:38 AM
Hi!
I have a weird problem that began after I upgraded a PIX 515 failover pair from 7.2(2) to 8.0(3). Everything seems to work OK, except remote management via VPN-client.
I've tried telnet and https but once the management connection is established there is no data received from the firewall, hence login is not possible⦠I used Wireshark to verify that a connection is established but after the 3-way handshake, there is nothing except a TCP packet that seems to be out of sequence.
I can manage the firewall using a PC on the inside network but that is a somewhat troublesome workaround.
VPN-client IP: 192.168.150.0/26
Firewall inside IP: 172.31.2.254
Some lines from the configuration:
access-list nonat extended permit ip 172.31.2.0 255.255.255.0 192.168.150.0 255.255.255.0
nat (inside) 0 access-list nonat
sysopt connection permit-vpn
management-access inside
telnet 192.168.150.0 255.255.255.192 inside
route outside 192.168.150.0 255.255.255.192 x.x.x.x
Any ideas?
Regards,
Anders Fredriksson
09-01-2008 02:19 PM
For a /26 vpn pool net shouldn't nonat acl be more of:
access-list nonat extended permit ip 172.31.2.0 255.255.255.0 192.168.150.0 255.255.255.192
or perhaps /24 mask is a typo in your post?
other than this I do not see a reason what you would not be able to access firewall via vpn.. can you add above acl line and try, otherwise we'll think of something else..
Rgds
Jorge
09-01-2008 10:41 PM
Actually, there are some 5505 firewalls placed at network/system administrators homes. They use subnets within the same network as VPN clients, hence the difference in masks.
The thing is that packets are allowed in both directions but âsessionsâ aren't, e.g. ping works from a VPN client to the inside address. Also, when I connect using telnet there is a three-way handshake. The telnet window stays empty due to a session that never disconnects nor receives any data.
09-04-2008 06:04 AM
Hello,
If ping works then it could be a fragmentation issue . Try to adjust TCP MSS value on PIX.
sysopt connection tcp-mss MSS_size_in_bytes
example : sysopt connection tcp-mss 1360
You can also find the exact size for your connection using extended ping utility from your workstation as explained in following link .
HTH
Saju
Pls rate it if it helps
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: