I'm not able to ssh and telnet my routers from behind pix. The routers are placed in the PIX outside zone. SSH and Telnet is permitted and I even enable TCP Any rule for the routers. When i tried SSH using putty i'm getting the following error. "Network error: Software caused connection abort". I'm able to ping these routers and access other applications through PIX. It was working till last week. Don't knw wat hapnd.
from that same machine can you test telnet from the command line e.g
if you get black screen means you are hiting the router going through pix outside interface, so most likely would be some settings in your putty app or the machine itself, you may want to check your rsa public-key ppk file in putty software, or try putty from another machine..
also check logs in the routers and see if anything is being denied.
yes, the telnet test is just for troubleshooting don't expect to get a login prompt, telnet test on port 22 just proves the outbound connection went through and accepted at the router end.., I don't think this could be frewall problem, you need to check on the router side or atleast try ssh client from another machine to try narrow down the problem.
I am interested in your statement in the original post that it was working until last week. Am I correct in understanding that until last week you were able to telnet and SSH through the PIX to these routers and successfully establish sessions?
There are several things that occur to me that could cause these symptoms. There could be a problem in translating addresses between your machine inside and the routers outside. Is there any possibility that your machine IP address has changed? If you can ping the routers that would seem to indicate that it is probably not an issue with translation.
It might also be an issue with allowing the telnet or SSH packets through the PIX or allowing the response packets from the routers to your machine. Are there any logs on the PIX that show these packets or that show translations being set up for them? Are there any log messages or debugs on the router that could show the attempt to connect to the router - this would establish that the packets are getting through the PIX?
It might also be that there is an access class applied to the routers on the vty lines which are not permitting your connection attempts. Can you verify whether the routers are configured with access-class under the vty lines? If so can you post the config of the vty lines and of the access list?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...