MARS 6.0 cant discover PIX 8.0(4)

Unanswered Question
Apr 7th, 2010


I've configured CS-MARS 6.0, added a lot of devices and everything works fine,

but i cant add PIX 8.0 device,


spqwn ssh -c 3des -l admin 10.*.*.*

ssh: connect to host 10.*.*.* port 22: no route to host

Error executing ssh command

PIX connected to the switch, MARS connected to the switch, too, The same vlan

PIX config:

PIX Version 8.0(4)
hostname test-pix
enable password ************* encrypted
passwd ************ encrypted
no names
interface Ethernet0
nameif management
security-level 100
ip address 10.*.*.*
interface Ethernet1
no nameif
no security-level
no ip address
interface Ethernet2
no nameif
no security-level
no ip address
ftp mode passive
clock timezone MSK 3
access-list permit_ssh extended permit tcp host 10.*.*.* any eq ssh log
access-list permit_tcp extended permit tcp host 10.*.*.* any
pager lines 24
logging enable
logging trap notifications
logging host management 10.*.*.*

mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-613.bin
no asdm history enable
arp timeout 14400
access-group permit_tcp in interface management
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
snmp-server host management 10.*.*.* community ****
no snmp-server location
no snmp-server contact
snmp-server community ****

snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.*.*.* management
ssh 10.*.*.* management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password ********** encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
service-policy global_policy global
prompt hostname context
: end

Could anyone help, please?

Thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Mykola Srebnyuk Wed, 04/07/2010 - 07:52

Config of MARS in studio!!!!

Ping successfull?

Please some attention to SSH configuration in PIX.

Sergey Tregubov Wed, 04/07/2010 - 11:28

I cant ping from mars pix, and vice versa.

I've attached pix configuration on mars, ssh config on the mars

On the pix i created rsa 1024 bit, cause mars do not accept rsa lower than 1024, as i understood from the literature

Jennifer Halim Wed, 04/07/2010 - 18:40

If you can't ping the MARS from the PIX and vice versa, it is more L1/L2/L3 issue. Are you sure it is connected to the same VLAN in the switch? What is the ip address of MARS, and the PIX management interface? Also, make sure the ip address is not duplicate.

Sergey Tregubov Wed, 04/07/2010 - 22:12

They are not duplicated

mars -

pix -

the same vlan

I think the problem with CBAC on PIX, or with ACL, may be i need to allow icmp packets ?


This Discussion