Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX stop to accept Telnet after software upgrade.

Hi all,

After upgrade my PIX OS from 6.3.4 to 8.0.2 my telnet sessions from the central site to remote site (remote was updated) does not work (I'm tring to telnet inside interface from remote site). no config was changed. I searched release notes but not see anything related this.

Follow a trace

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (telnet-not-permitted) Telnet not permitted on least secure

interfa

ce

9 REPLIES
Green

Re: PIX stop to accept Telnet after software upgrade.

do you have...

management-access inside

New Member

Re: PIX stop to accept Telnet after software upgrade.

Yes ! And we made an attempt to change to outside but pix returns an error message sayng that is not permited.

Gold

Re: PIX stop to accept Telnet after software upgrade.

you can't telnet to the outside interface of pix/asa unless it's over a vpn tunnel.

are you telnet'ing to the inside interface over a vpn?

New Member

Re: PIX stop to accept Telnet after software upgrade.

Yes, I'm using a site to site VPN and the VPN work's fine. The problem is only that I can't manage my remote pix from a central site. To do this I need to connect in a remote PC located in remote site and after that connect to my pix.

New Member

Re: PIX stop to accept Telnet after software upgrade.

can you do this?

#logging on

#logging buffer information

then start the telnet session from your PC

#show log | in "IP of your PC"

post the result

New Member

Re: PIX stop to accept Telnet after software upgrade.

Tks,

Here I attach the output. Note that the first sequence was made in a real scenario and a next sequence was made in a lab environment. In a lab environment telnet works fine.

Tks,

New Member

Re: PIX stop to accept Telnet after software upgrade.

Can you post more line for the "Real Scenario" ?

Real Scenario

BR013NF0001# show logging | inc 10.152.129.142

%PIX-6-302013: Built inbound TCP connection 516995 foroutside:10.152.129.142/2775 (10.152.129.142/2775) to NP Identity Ifc:10.100.238.253/23 (10.100.238.253/23)

%PIX-6-302014: Teardown TCP connection 516995 for outside:10.152.129.142/2775 to NP Identity Ifc:10.100.238.253/23 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept

%PIX-6-302013: Built inbound TCP connection 516996 for outside:10.152.129.142/2775 (10.152.129.142/2775) to NP Identity Ifc:10.100.238.253/23 (10.100.238.253/23)

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Lab Scenario

pixfirewall# sh log | inc 10.1.1.1

%PIX-7-609001: Built local-host NP Identity Ifc:10.1.1.1

%PIX-6-302013: Built inbound TCP connection 51 for outside:10.2.2.1/15755 (10.2.2.1/15755) to NP Identity Ifc:10.1.1.1/23 (10.1.1.1/23)

%PIX-6-302014: Teardown TCP connection 51 for outside:10.2.2.1/15755 to NP Identity Ifc:10.1.1.1/23 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept

%PIX-7-609002: Teardown local-host NP Identity Ifc:10.1.1.1 duration 0:00:00

%PIX-7-609001: Built local-host NP Identity Ifc:10.1.1.1

%PIX-6-302013: Built inbound TCP connection 53 for outside:10.2.2.1/15755 (10.2.2.1/15755) to NP Identity Ifc:10.1.1.1/23 (10.1.1.1/23)

%PIX-6-605005: Login permitted from 10.2.2.1/15755 to inside:10.1.1.1/telnet for user ""

1. The first session 516995 and 51 in both scenario is same, the tcp session terminated by TCP Intercept,this indicates that a connection was created when the packet comes over a VPN tunnel.We need to figure out difference between 516996 and 53.

2. Check you allow telnet from central site

telnet 10.152.129.0 255.255.255.0 inside

or

telnet 0.0.0.0 0.0.0.0 inside

3. you can ping 10.100.238.253 from 10.152.129.142 (because you have "management-access inside")

4. on remote PIX

# clear asp drop

then restart telnet session

# show asp drop

if you see any counter other than 0, that is probably "drop-reason" why packet been dropped

# capture DROPtest type asp-drop "drop-reason"

then restart telnet session

# show capture DROPtest

New Member

Re: PIX stop to accept Telnet after software upgrade.

Tks from your reply,

Yes telnet is permited from central site.

with show asp drop I see:

TCP failed 3 way handshake

and when I refine the filter with:

#capture DROPTEST type asp-drop tcp-3whs-failed, I can't see anything related with my IP address.

Now I attach a show running from remote site.

New Member

Re: PIX stop to accept Telnet after software upgrade.

Hi this is too much information, I checked your L2L VPN configuration,it seems fine. Please check this,

1. Can you ping from TESTE_BR to 10.100.238.253, if not something wrong with VPN part.

2. Not sure why you have this two route point to your outside interface,it should point to 200.251.149.129,default route is good enough, you can remove these two.

route outside TESTE_BR 255.255.0.0 200.251.149.130 1

route outside 172.16.0.0 255.255.0.0 200.251.149.130 1

Because you upgrade the PIX without changing anything. this may not be related but worthy a try.

226
Views
0
Helpful
9
Replies