10-19-2008 09:13 PM - edited 03-11-2019 06:59 AM
I have PIX 501 separating my two internal networks.
I am located on network A (10.80.48.0)on outside PIX interface. Server which I need to access is on network B (172.31.1.0)inside PIX interface.
Here is part of PIX config:
ip address outside 10.80.48.50 255.255.252.0
ip address inside 172.31.1.1 255.255.255.0
name 172.31.1.2 SERVER
static (inside,outside) tcp interface ftp SERVER ftp netmask 255.255.255.255
access-list FromOutside permit ip any any
This allows me to ftp from network A to SERVER on network B.
How can I allow telnet (23) to SERVER from network A?
When I replace static to:
static (inside,outside) tcp interface telnet SERVER telnet netmask 255.255.255.255
then telnet is working but ftp is not.
How to make both ftp and telnet to work?
Here is log entries while I am trying to telnet from network A to SERVER (10.80.48.50) on network B:
Rec'd packet not an IPSEC packet. (ip) dest_addr= 10.80.48.50, src_addr= 10.80.48.47, prot= tcp
I would appreciate help
10-19-2008 10:10 PM
Hi,
The reason is that either you have mapped only FTP access or telnet access in the static entry.
Delete static nat nd use the following commands
static (inside,outside) interface SERVER netmask 255.255.255.255
hope, it helps
10-20-2008 04:15 AM
Yes, it helped when I entered
static (inside,outside) interface SERVER netmask 255.255.255.255
but right now I cannot ssh to the outside interface of the PIX. Outside interface is(10.80.48.50)
before:
ssh to 10.80.48.50 - OK
ftp to 10.80.48.50 - OK
telnet to 10.80.48.50 - NOT OK
now:
ftp to 10.80.48.50 - OK
telnet to 10.80.48.50 - OK
ssh to 10.80.48.50 - NOT OK
I will have to remove command I entered beause I need from time to time make changes on this PIX and I cannot access it anymore. Since it is located in remote location I need to have ssh access to it. I will ask someone from this location to reload the PIX so I will have an access to it again but then telnet will not work anymore.
Any suggestion?
10-19-2008 11:07 PM
Why are you 'replacing' the static?
Just enter both at once:
static (inside,outside) tcp interface ftp SERVER ftp netmask 255.255.255.255
static (inside,outside) tcp interface telnet SERVER telnet netmask 255.255.255.255
Regards
Farrukh
10-20-2008 03:56 AM
I tried and PIX doesn't accept two static to the same interface, one for ftp and one for telnet.
You can have only one or other
10-20-2008 04:06 AM
Try to put only one command what I posted earlier then check its responding or not.
10-20-2008 04:23 AM
I did the following:
no static (inside,outside) tcp interface ftp SERVER ftp netmask 255.255.255.255
static (inside,outside) interface SERVER netmask 255.255.255.255
now ftp and telnet are working but I lost ssh access to the PIX as described in previous post
10-20-2008 04:51 AM
Are you running 6.x code?
I know that this works on 7.x for sure...
The ASA will give you a 'warning' but it *will be* there when you do a 'show run static'.
Regards
Frrukh
10-20-2008 05:08 AM
Yes, I run 6.3(4)
static (inside,outside) interface SERVER netmask 255.255.255.255 allowing telnet what I needed but cutting my access to PIX through ssh.
Any other way to allow telnet and ftp but still be able to ssh to PIX?
Can I somehow manually map ftp and telnet?
10-20-2008 06:21 AM
Hi, As i think, it must be connect via SSH. I would advice you while you try to connect PIX through SSH and then check the logs nd see why it's blocking the SSH connection.
Please post your logs.
Hope it will help
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: