Solved

how to check the log of a pix and trouble shoot

Posted on 2009-04-03
26
475 Views
Last Modified: 2012-05-06
hi everyone,

i have a pix 501 which i can see from my computer when i am connected through vpn client to my HO, but when i try to connect to this pix or server from HO i can not either ping or RDP on to the server or telnet onto pix.

i still have access from home to that pix and server but not from HO.

how can i fix this or see where the problem lies.

please help
0
Comment
Question by:ammartahir1978
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 9
  • 5
26 Comments
 
LVL 7

Expert Comment

by:egyptco
ID: 24059196
to check why you can't telnet to the pix from your HO. check if you have allowed telnet from inside interface. the line in config should be something like:
 
telnet <inside network> <network mask> inside

i see no reason th pix to prevent you connecting inside server over RDP from your inside network since the traffic even doesn't pass across the pix.
0
 

Author Comment

by:ammartahir1978
ID: 24059855
hi this is my pix configuration please have a look and let me know if there is anything odd
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password s8IthzhjHyXqtyf5 encrypted
passwd s8IthzhjHyXqtyf5 encrypted
hostname PIMLICO-GR
domain-name Bamford-ltd.local
fixup protocol dns maximum-length 1500
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit icmp any any echo-reply
access-list NONAT permit ip 172.31.179.64 255.255.255.240 172.16.56.0 255.255.25
5.0
access-list NONAT permit ip 172.31.179.64 255.255.255.240 172.16.55.0 255.255.25
5.0
access-list NONAT permit ip 172.31.179.64 255.255.255.240 172.31.177.0 255.255.2
55.0
access-list NONAT permit ip 172.31.179.64 255.255.255.240 172.31.179.128 255.255
.255.224
access-list TOWHS permit ip 172.31.179.64 255.255.255.240 172.16.56.0 255.255.25
5.0
access-list TOWHS permit ip 172.31.179.64 255.255.255.240 172.16.55.0 255.255.25
5.0
access-list TODAYLESFORD permit ip 172.31.179.64 255.255.255.240 172.31.177.0 25
5.255.255.0
access-list TOPIMLICO permit ip 172.31.179.64 255.255.255.240 172.31.179.128 255
.255.255.224
pager lines 24
logging on
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside  255.255.255.248
ip address inside 172.31.179.78 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
pdm location 172.31.179.64 255.255.255.240 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 172.16.56.0 255.255.255.0 inside
http 172.31.179.64 255.255.255.240 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
 
crypto map VPN 60 set transform-set ESP-AES-256-MD5
crypto map VPN interface outside
isakmp enable outside
 
fig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash md5
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
telnet 172.31.179.64 255.255.255.240 inside
telnet 172.16.56.0 255.255.255.0 inside
telnet timeout 5
ssh 172.16.56.0 255.255.255.0 inside
ssh 172.31.179.64 255.255.255.240 inside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
 
PIMLICO-GR#

Open in new window

0
 
LVL 7

Expert Comment

by:egyptco
ID: 24060276
ok,

you should be able to login on your pix using telnet or ssh from 172.31.179.64/28 and 172.16.56.0/24 network. i see no reason not to.

regarding your rdp issue. can you tell me from which pc to which server you can do the connection. i need the ip addresses.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:ammartahir1978
ID: 24060592
okay can not do telnet from 172.16.56.0 ip which is my head office ip.

i am workign from home and connected through VPN client and i get a ip range of 172.16.55.X i can conect to the server which is 172.31.179.77 ( which is sitting in location where pix is )
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24060737
oh i see now.. you are using vpn access. this should explain why do you have this problem http://www.experts-exchange.com/Security/Misc/Q_21568428.html.

 i suppose the rdp issue occueres only when you connected with vpn. you need to use this command:

sysopt connection permit-ipsec



0
 

Author Comment

by:ammartahir1978
ID: 24061375
but my question is that it was working absolutely fine and i havent changed anything on firewall, secondly i can connect through vpn connection but why can't i access it with in my net work.

i cant ping my file servr from site and neither do i can ping site from file server.

so there is some which is gone wrong
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24062841
alright i've probably misunderstood you, sry.  let me see if i'm getting the picture now. you use remote vpn connection from home to your HO and login to one of the servers in 172.31.179.64 network. from there you are trying telnet or ssh to your pix and it is no working!?! from the configurations i see no reason for that!

do you mean it happens only when you connected through vpn or also when you physically in 172.31.179.64 network. in which network is your file server? is there are router between your site (from where you ping) and the file server?
0
 

Author Comment

by:ammartahir1978
ID: 24062953
okay i will explain step by step.

HO Network 172.16.56.0
VPN network 172.16.55.0
Site network is 172.31.179.64

Now i am in home and i connect my vpn client to HO so i get 172.16.55.X ip address on my laptop, now when i RDP on to 172.31.179.77 (server) i can easily get on to it.

now when i try to conect to site from my HO office file (172.16.56.10)server i can not ping the site.
what i am trying to fix is with in the network site should bebe pingable is (HO file server should ping site) but it is not right now.

hope this help
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24063350
where is your HO network? on the inside of the PIX? show it is routed between Site network and HO?
0
 

Author Comment

by:ammartahir1978
ID: 24064447
if you see the configuration i have posted on line 26 is HO and 27 VPN
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24065190
well it is bit confusing because i see line "telnet 172.16.56.0 255.255.255.0 inside" and your crypto configuration isn't complete i guess you deleted some lines but i was not sure which ones exactly.

so basically your HO and VPN network are on the oter side of the tunnel and you are able  to get RDP into Site network from VPN network but it can't be done from HO. thats really odd since they are using the same tunnel.

i would really enable "sysopt connection permit-ipsec"
reset the tunnel: "clear crypto sa", sometimes it hangs. you might consider setting keepalives
0
 

Author Comment

by:ammartahir1978
ID: 24066419
okay i have already got sysopt connection permit-ipsec
reset the tunnel ? how to do it and on which pix Site or HO?
and keepalives where shall i use it site/HO?

please let me know step by step.

just to let you know that i have checked the connection in HO firewall and i can see its connected to the site.

thanks
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24066721
here step-by-step how to reestablish the tunnel:
https://supportwiki.cisco.com/ViewWiki/index.php/How_to_re-establish_an_IPSec_tunnel_on_a_PIX_Firewall_after_it_disconnects

the command to enable keepalives on the tunnel is:
isakmp keepalive ... (values how often they should be send)
0
 

Author Comment

by:ammartahir1978
ID: 24066940
tried no solved :(
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24067019
but it's been working once, right? can you confirm now that the tunnel is up.
sh crypto ipsec  sa
sh crypto isakm sa
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 24067089
Can you post your crypto map statements from the config?
I would expect to see something like:

crypto map VPN 60 set transform-set ESP-AES-256-MD5
crypto map VPN 60 set peer <TOWHS IP>
crypto map VPN 60 match address TOWHS

0
 

Author Comment

by:ammartahir1978
ID: 24067134
Here you go


Crypto Map: "VPN" interfaces: { outside }

Crypto Map "VPN" 20 ipsec-isakmp
        Peer = XX.XXX.XXX.xX
        access-list TOWHS; 2 elements
        access-list TOWHS line 1 permit ip 172.31.179.64 255.255.255.240 172.16.56.0 255.255.255.0 (hitcnt=7542)
        access-list TOWHS line 2 permit ip 172.31.179.64 255.255.255.240 172.16.55.0 255.255.255.0 (hitcnt=336)
        Current peer: XX.XXX.XXX.XX
        Security association lifetime: 4608000 kilobytes/28800 seconds
        PFS (Y/N): N
        Transform sets={ ESP-AES-256-MD5, }

Crypto Map "VPN" 40 ipsec-isakmp
        Peer = 212.169.5.170
        access-list TODAYLESFORD; 1 elements
        access-list TODAYLESFORD line 1 permit ip 172.31.179.64 255.255.255.240 172.31.177.0 255.255.255.0 (hitcnt=0)
        Current peer:XXX.XX.XXX.XX
        Security association lifetime: 4608000 kilobytes/28800 seconds
        PFS (Y/N): N
        Transform sets={ ESP-AES-256-MD5, }

Crypto Map "VPN" 60 ipsec-isakmp
        Peer = XX.XXX.XX.XX        access-list TOPIMLICO; 1 elements
        access-list TOPIMLICO line 1 permit ip 172.31.179.64 255.255.255.240 172.31.179.128 255.255.255.224 (hitcnt=23)
        Current peer: XX.XXX.XX.XX
        Security association lifetime: 4608000 kilobytes/28800 seconds
        PFS (Y/N): N
        Transform sets={ ESP-AES-256-MD5, }
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24067225
Can you post the configuration from the HO site? is HO the same as TOWHS ?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24067235
I just re-read this thread and it sounds like you are trying to VPN into the HO and then access a host across the L2L VPN tunnel to another peer? You cannot do that.
0
 

Author Comment

by:ammartahir1978
ID: 24067308
hi Irmoore,

okay let me explain again,

my HO ( which is 172.16.56.0 255.255.255.0)
and my site which is PIMLICO (172.31.179.XX 255.255.255.240)
PImlico site is connect to my HO through a VPN tunnel which is connected., now the problem i am having is i can not connect to the pimlico site from HO even through the VPN tunnel is UP??

on the other hand if i access pimlico site from my home i can RDP in to the server on pimlico site. which is very ODD,.

now when any user in my office connect to HO from HOME through VPN client they get a ip address of
172.16.55.X. now i can RDP on to PImlico server from home through VPN client conencted, but when in HO i can not access pimlico site.

hope this explain

0
 

Author Comment

by:ammartahir1978
ID: 24067324
just to let you know that this was working perfectly fine before it just suddenly stopped working.
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24075947
basically your HO network suddenly stopped reaching PImlico network over the tunnel. do tracert to PImlico from any host on HO. check the syslog on the other vpn device. if it is other pix you should be able to receive the reason why the traffic from 172.16.56.0 doesn't reach 172.31.179.64
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24077426
>was working perfectly fine before it just suddenly stopped working.
Things just don't suddenly stop working unless something changes. What changed?
0
 

Author Comment

by:ammartahir1978
ID: 24129199
Hi Irmoore,

Things do stop sometime suddenly, i have sorted the pix now it was a bug so i have to upgrade my ASA version after which things are fine.

but now i have same issue with another PIX on another site.

how can i fix that? is there a newer version for pix 6.3(5) 501 available.

Thank you
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24129226

6.3(5) is the latest available for the PIX 501
0
 

Author Comment

by:ammartahir1978
ID: 24129284
thank you Irmoore what can be wrong then
i can access the site when i connect through VPN client from home but when i am with in company network we can access it.

any idea?

thank you
0

Featured Post

Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month5 days, 15 hours left to enroll

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question