06-26-2008 01:57 PM - edited 03-11-2019 06:06 AM
Trying to figure out why i cannot ssh to my pix501 from a outside connection!
any ideas?
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname AB01-GR-PIX
domain-name tobar.COM
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.4.2.0 AB01-GR
name 10.9.2.0 AB01-LF
access-list inside_outbound_nat0_acl permit ip AB01-GR 255.255.255.0 AB01-LF 255.255.255.0
access-list outside_cryptomap_40 permit ip AB01-GR 255.255.255.0 AB01-LF 255.255.255.0
no pager
mtu outside 1500
mtu inside 1500
ip address outside 45.10.15.74 255.255.255.248
ip address inside 10.4.2.30 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location AB01-GR 255.255.255.0 inside
pdm location AB01-LF 255.255.255.0 inside
pdm location AB01-LF 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
route outside 0.0.0.0 0.0.0.0 65.100.175.78 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http AB01-LF 255.255.255.0 inside
http AB01-GR 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 12.166.199.2
crypto map outside_map 40 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 12.166.199.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
telnet AB01-GR 255.255.255.0 inside
telnet AB01-LF 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 10.4.2.150-10.4.2.180 inside
dhcpd dns 10.9.2.5 10.9.2.6
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain abvalve.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:xxx
: end
06-26-2008 02:04 PM
Couple of things
Not a good idea to post config with public IP addresses in it although i suspect you have changed them ??
Your outside interface is 45.10.15.74
Your default route is 65.100.175.78
So it looks like you have modified your addressing ?
Anyway, when you try to ssh how far do you get ?
Jon
06-26-2008 02:10 PM
those ip's were juct changed for the post... but i get connection refused from putty
06-26-2008 02:15 PM
Do you know if ssh works from the inside ?
06-26-2008 02:15 PM
nope but let me try
06-26-2008 02:16 PM
conf t
ca generate rsa key 2048
after that try again ssh
06-26-2008 02:23 PM
yeah i can ssh from inside
NOT outside
06-26-2008 02:28 PM
I can test ie. see if i get a prompt if you let me know public IP
but obviously you don't have to.
Jon
06-26-2008 02:41 PM
maybe your provider is blocking SSH?
06-27-2008 05:46 AM
no, because i can ssh into the 506e thats the 501's are VPN'ing into!
06-27-2008 05:52 AM
here is a good PIX config...
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password qaAv.Ii3BE9UHjeE encrypted
passwd lfL9YkXcpVI8j9gT encrypted
hostname AB01-CC-PIX
domain-name rupurt.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name 10.7.2.0 AB01-CC
name 10.9.2.0 AB01-LF
access-list inside_outbound_nat0_acl permit ip AB01-CC 255.255.255.0 AB01-LF 255.255.255.0
access-list outside_cryptomap_100 permit ip AB01-CC 255.255.255.0 AB01-LF 255.255.255.0
no pager
mtu outside 1500
mtu inside 1500
no ip address outside
ip address inside 10.7.2.30 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location AB01-CC 255.255.255.0 inside
pdm location AB01-LF 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
static (inside,outside) 68.213.152.84 10.7.2.13 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 68.213.152.81 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http AB01-CC 255.255.255.0 inside
http AB01-LF 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 100 ipsec-isakmp
crypto map outside_map 100 match address outside_cryptomap_100
crypto map outside_map 100 set peer 69.2.60.228
crypto map outside_map 100 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 12.166.199.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 69.2.60.228 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
telnet AB01-CC 255.255.255.0 inside
telnet AB01-LF 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 10.7.2.100-10.7.2.130 inside
dhcpd dns 10.9.2.5 10.9.2.6
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain rupert.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:xxx
: end
06-27-2008 05:54 AM
Forgot Outside Ip...
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname AB01-CC-PIX
domain-name abvalve.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name 10.7.2.0 AB01-CC
name 10.9.2.0 AB01-LF
access-list inside_outbound_nat0_acl permit ip AB01-CC 255.255.255.0 AB01-LF 255.255.255.0
access-list outside_cryptomap_100 permit ip AB01-CC 255.255.255.0 AB01-LF 255.255.255.0
no pager
mtu outside 1500
mtu inside 1500
ip address outside 68.x.x.84 255.255.255.248
ip address inside 10.7.2.30 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location AB01-CC 255.255.255.0 inside
pdm location AB01-LF 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
static (inside,outside) 68.213.152.84 10.7.2.13 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 68.213.152.81 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http AB01-CC 255.255.255.0 inside
http AB01-LF 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 100 ipsec-isakmp
crypto map outside_map 100 match address outside_cryptomap_100
crypto map outside_map 100 set peer 69.2.60.228
crypto map outside_map 100 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 12.166.199.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 69.2.60.228 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
telnet AB01-CC 255.255.255.0 inside
telnet AB01-LF 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 10.7.2.100-10.7.2.130 inside
dhcpd dns 10.9.2.5 10.9.2.6
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain abvalve.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:xxx
: end
06-27-2008 06:15 AM
using the configuration above i cannot ping the outside address either!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: