10-09-2006 08:42 AM
Hi,
I d like to fix an issue i ve got with my pix. With my config i m able to ping the inside pix interface through the vpn tunnel but i can t ssh or telnet it and obviously i can t get asdm with https. Here is my config:
!
interface Ethernet0
nameif outside
security-level 0
ip address <public-ip> 255.255.255.128
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.21.1 255.255.255.0
access-list http-list2 extended permit ip any any
access-list UKDEVPN extended permit ip object-group UKInside object-group DEOffice
access-list UKUKOFFICEVPN extended permit ip object-group UKInside object-group UKOffice
access-list inside_nat0_outbound extended permit ip object-group UKInside object-group DEOffice
access-list inside_nat0_outbound extended permit ip object-group UKInside object-group UKOffice
access-list inside_nat1_outbound extended permit ip object-group UKInside any
access-list inbound extended permit tcp any object-group UKOutEx eq smtp
access-list inbound extended permit tcp any object-group UKOutEx eq pop3
access-list inbound extended permit tcp any object-group UKOutEx eq https
access-list inbound extended permit tcp any object-group UKOutEx eq imap4
access-list inbound extended permit tcp any object-group UKOutEx eq ssh
access-list inbound extended permit tcp any object-group UKOutEx eq 995
access-list inbound extended permit icmp object-group PublicUKOffice object-group UKOutEx
monitor-interface outside
monitor-interface inside
icmp permit <officepublicip> 255.255.255.248 outside
icmp permit any inside
asdm image flash:/asdm-501.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 <publicip> netmask 255.255.255.128
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_nat1_outbound
static (inside,outside) <publicip> 192.168.21.10 netmask 255.255.255.255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 <internetGW>
http server enable
http <publicofficeip> outside
http 192.168.20.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 inside
i don t know why i m able to ping so the traffic is allowed and i can t ssh or telnet even if i setup the right settings as management-access inside, etc...
any help could be great.
Thanks in advance
10-13-2006 10:27 AM
Try to add following commands, it might solve your problem.
telnet
telnet timeout 5
ssh timeout 5
10-16-2006 09:05 AM
Hi,
This should help you ;
telnet
ssh
http
where Remote subnet is the subnet which on the far side of the tunnel.
and you need Managment-access inside for this to work.
10-17-2006 01:10 AM
i m srry but i ve alredy done this modifications and no luck it still doesn t work. i really don t understand
10-17-2006 07:34 AM
Hi,
I would like to know what code are you running on the PIX ?
Thanks
Kanishka
10-17-2006 08:14 AM
it is 6.3(5)
ok i think i found the solution on the logs it says traffic discarded because the host licence has exceeded.
So i will upgrade my licence ansd see if it works better
10-18-2006 01:09 AM
i can believe it my problem is solved and i spent many hours of troubleshoot. The solution was just about upgrading the host licence unbelievable.
can someone tell me how i can notify this post solved.
Thanks for your help
Alex
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: