Solved: telnet issue... what am i doing wrong?

dsingleterry · ‎01-08-2003

Ok, I have two networks setup to see each other via VPN. The VPN is supplied by a 515e, and a 501e. The 515e network is 192.168.50.0, the 501e network is 192.168.51.0

The 515e's external ip is x.x.71.7, the 501 is x.x.71.8

Problem: I can telnet from the 192.168.51.0 network behind the 501 into the outside interface of the 515e, but cannot from the 50.0 network behind the 515e into the outside interface of the 501e.

Here is my setups :

515e -

ip address outside x.x.71.7

ip address inside 192.168.50.1

access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.51.0 255.255.255.0 (hitcnt=1184)

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host x.x.71.8 (hitcnt=62)

501e -

ip address outside x.x.71.8

ip address inside 192.168.51.1

access-list inside_nat0_outbound permit ip 192.168.51.0 255.255.255.0 host x.x.71.7

access-list inside_nat0_outbound permit ip host x.x.71.8 192.168.50.0 255.255.255.0

Why does this work one way, but not back? I would have thought that if it worked enough for me to telnet from the 501 side to the 515, then the same setup would work from the 515 to the 501 but doesnt seem to.

Thanks for your help in advance.

Dave

ajagadee · ‎01-08-2003

Hi Dave,

Looks at my comments regarding Telnet in the previous posting.

Couple of questions for you:

1. In your config on the Pix 501, whey do you have the two statements in your access-list.

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.51 .0 255.255.255.0

access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.51.0 255.255.255.0

2. And also use a different access-list for match address and NAT 0 cos you will run into problems when you configure multiple vpn tunnels.

For Ex:

crypto map VPNMAP 10 match address 100

access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

crypto map VPNMAP 20 match address 101

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 150 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 150 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

nat (inside) 0 access-list 150

Regards,

Arul

View solution in original post

tvanginneken · ‎01-08-2003

Hi,

please have a look at the 'telnet' commands on both the PIXs. Are the ip addresses specified which are allowed to telnet?

Kind Regards,

Tom

dsingleterry · ‎01-08-2003

yes, they are:

515e

telnet x.x.71.8 255.255.255.255 outside

telnet 192.168.50.0 255.255.255.0 inside

501e

telnet x.x.71.7 255.255.255.255 outside

telnet 192.168.51.0 255.255.255.0 inside

chrclark · ‎01-08-2003

I don't see any hits on the nonat access-list of the 501. Is it applied ?

dsingleterry · ‎01-08-2003

yes, i just cant telnet to it from this location (hence the problem) so I just pulled that info from my last text dump of the "sho run" when I was at that location.

But the hits are similar to those of the 515e, one of the statements has a high number ,the other is below 100.

I would like to say that its the access-list inside_nat0_outbound permit ip host x.x.71.8 192.168.50.0 255.255.255.0

statement that is below 100 on the 501e.

sorry, I wasnt very thorough in the description of the problem.

tvanginneken · ‎01-08-2003

Hi,

is it possible to post the two configs? !!Please replace public addresses and passwords!!

Thanks,

Tom

dsingleterry · ‎01-08-2003

What? you want me to make it easy for you? :) ha, ok, here they are (excluding intro , fixups, and names)

(please note on the 515e I am just starting to setup for multiple VPN's, havent got that section finished yet)

515e:

PIX Version 6.2(2)

object-group network Bluff_Inside

network-object 192.168.50.0 255.255.255.0

access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 any

access-list acl_inbound permit tcp any any

access-list acl_inbound permit tcp any host x.x.71.7 eq 3389

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.51.0 255.255.255.0

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host x.x.71.8

access-list inside_nat0_out2Sav permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

access-list inside_nat0_out2Bft permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside pppoe setroute

ip address inside 192.168.50.1 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.50.0 255.255.255.255 inside

pdm location 192.168.50.201 255.255.255.255 inside

pdm location x.x.71.8 255.255.255.255 outside

pdm location 192.168.51.0 255.255.255.0 outside

pdm group Bluff_Inside inside

pdm history enable

arp timeout 14400

global (outside) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 192.168.50.0 255.255.255.0 0 0

static (inside,outside) tcp x.x.71.7 3389 192.168.50.75 3389 netmask 255.255.2

55.255 0 0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.50.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address inside_nat0_outbound

crypto map vpn1 10 set pfs group2

crypto map vpn1 10 set peer x.x.71.8

crypto map vpn1 10 set transform-set myset

crypto map vpn1 interface outside

crypto map vpn2 20 ipsec-isakmp

crypto map vpn2 20 match address inside_nat0_out2Sav

crypto map vpn2 20 set pfs group2

crypto map vpn3 30 ipsec-isakmp

crypto map vpn3 30 match address inside_nat0_out2Bft

crypto map vpn3 30 set pfs group2

crypto map vpn3 30 set transform-set myset

isakmp enable outside

isakmp key ******** address x.x.71.8 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

telnet x.x.71.8 255.255.255.255 outside

telnet 192.168.51.0 255.255.255.0 outside

telnet 192.168.50.201 255.255.255.255 inside

telnet 192.168.51.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname yearround1

vpdn group pppoex ppp authentication pap

vpdn username yearround1 password *********

terminal width 80

501e:

PIX Version 6.2(2)

access-list acl_outbound permit ip 192.168.51.0 255.255.255.0 any

access-list inside_nat0_outbound permit ip 192.168.51.0 255.255.255.0 192.168.50

.0 255.255.255.0

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.51

.0 255.255.255.0

access-list inside_nat0_outbound permit ip 192.168.51.0 255.255.255.0 host x.x.71.7

access-list inside_nat0_outbound permit ip host x.x.71.8 192.168.50.0 255.255.

255.0

access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.51.0 255.255.

255.0

access-list acl_inbound permit ip any any

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.51.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.50.0 255.255.255.0 outside

pdm location 192.168.51.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 192.168.51.0 255.255.255.0 0 0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.51.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address inside_nat0_outbound

crypto map vpn1 10 set pfs group2

crypto map vpn1 10 set peer x.x.71.7

crypto map vpn1 10 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address x.x.71.7 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

telnet x.x.71.7 255.255.255.255 outside

telnet 192.168.51.0 255.255.255.0 inside

telnet 192.168.50.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname yearround2

vpdn group pppoex ppp authentication pap

vpdn username yearround2 password *********

terminal width 80

Cryptochecksum:523aa7cc13d7e2959e2752a5c6a92fdd

: end

Thanks guys, I really appreciate your time, especially if you are still reading this, ha.

Dave

ajagadee · ‎01-08-2003

Hi Dave,

If I understand you correctly, your telnet command should have :

515e

telnet 192.168.51.0 255.255.255.0 outside --- from the Pix 501

501

telnet 192.168.50.0 255.255.255.0 outside --- from the pix 515

And also other necessary ip addresses that you want to allow telnet access to the pix .

Regards,

Arul

ajagadee · ‎01-08-2003

Hi Dave,

Just got your config. Will look into it and let you know.

Regards,

Arul

ajagadee · ‎01-08-2003

Hi Dave,

Looks at my comments regarding Telnet in the previous posting.

Couple of questions for you:

1. In your config on the Pix 501, whey do you have the two statements in your access-list.

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.51 .0 255.255.255.0

access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.51.0 255.255.255.0

2. And also use a different access-list for match address and NAT 0 cos you will run into problems when you configure multiple vpn tunnels.

For Ex:

crypto map VPNMAP 10 match address 100

access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

crypto map VPNMAP 20 match address 101

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 150 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 150 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

nat (inside) 0 access-list 150

Regards,

Arul

dsingleterry · ‎01-09-2003

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.51 .0 255.255.255.0

(I was under the assumption that this was needed for the vpn traffic between the two networks, and since the hit counter was continually increasing, i figured that was what it was doing)

access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.51.0 255.255.255.0

(this is now gone, it was just an attempt to see if the hit counter would go up when i tried to telnet to the other PIX)

Thanks for the added advice on multiple vpns, I do have a question though.

the access-lists 100 and 101 in your example, are those applied to nat in anyway or are they there just for the match address and the permit statements are used in the 150 list?

Thanks,

Dave

ajagadee · ‎01-09-2003

Hi Dave,

The access-list 100 and 101 refers to the match address for the respective ipsec peers only.

And the access-list 150 is used to bypass nat. NAT 0

Regards,

Arul