Solved

how to check the log of a pix and trouble shoot

Posted on 2009-04-03
26
470 Views
Last Modified: 2012-05-06
hi everyone,

i have a pix 501 which i can see from my computer when i am connected through vpn client to my HO, but when i try to connect to this pix or server from HO i can not either ping or RDP on to the server or telnet onto pix.

i still have access from home to that pix and server but not from HO.

how can i fix this or see where the problem lies.

please help
0
Comment
Question by:ammartahir1978
  • 12
  • 9
  • 5
26 Comments
 
LVL 7

Expert Comment

by:egyptco
ID: 24059196
to check why you can't telnet to the pix from your HO. check if you have allowed telnet from inside interface. the line in config should be something like:
 
telnet <inside network> <network mask> inside

i see no reason th pix to prevent you connecting inside server over RDP from your inside network since the traffic even doesn't pass across the pix.
0
 

Author Comment

by:ammartahir1978
ID: 24059855
hi this is my pix configuration please have a look and let me know if there is anything odd
PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password s8IthzhjHyXqtyf5 encrypted

passwd s8IthzhjHyXqtyf5 encrypted

hostname PIMLICO-GR

domain-name Bamford-ltd.local

fixup protocol dns maximum-length 1500

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inbound permit icmp any any echo-reply

access-list NONAT permit ip 172.31.179.64 255.255.255.240 172.16.56.0 255.255.25

5.0

access-list NONAT permit ip 172.31.179.64 255.255.255.240 172.16.55.0 255.255.25

5.0

access-list NONAT permit ip 172.31.179.64 255.255.255.240 172.31.177.0 255.255.2

55.0

access-list NONAT permit ip 172.31.179.64 255.255.255.240 172.31.179.128 255.255

.255.224

access-list TOWHS permit ip 172.31.179.64 255.255.255.240 172.16.56.0 255.255.25

5.0

access-list TOWHS permit ip 172.31.179.64 255.255.255.240 172.16.55.0 255.255.25

5.0

access-list TODAYLESFORD permit ip 172.31.179.64 255.255.255.240 172.31.177.0 25

5.255.255.0

access-list TOPIMLICO permit ip 172.31.179.64 255.255.255.240 172.31.179.128 255

.255.255.224

pager lines 24

logging on

icmp deny any outside

mtu outside 1500

mtu inside 1500

ip address outside  255.255.255.248

ip address inside 172.31.179.78 255.255.255.240

ip audit info action alarm

ip audit attack action alarm

pdm location 172.31.179.64 255.255.255.240 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

http server enable

http 172.16.56.0 255.255.255.0 inside

http 172.31.179.64 255.255.255.240 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable
 

crypto map VPN 60 set transform-set ESP-AES-256-MD5

crypto map VPN interface outside

isakmp enable outside
 

fig-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash md5

isakmp policy 20 group 5

isakmp policy 20 lifetime 86400

telnet 172.31.179.64 255.255.255.240 inside

telnet 172.16.56.0 255.255.255.0 inside

telnet timeout 5

ssh 172.16.56.0 255.255.255.0 inside

ssh 172.31.179.64 255.255.255.240 inside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

management-access inside

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750
 

PIMLICO-GR#

Open in new window

0
 
LVL 7

Expert Comment

by:egyptco
ID: 24060276
ok,

you should be able to login on your pix using telnet or ssh from 172.31.179.64/28 and 172.16.56.0/24 network. i see no reason not to.

regarding your rdp issue. can you tell me from which pc to which server you can do the connection. i need the ip addresses.
0
 

Author Comment

by:ammartahir1978
ID: 24060592
okay can not do telnet from 172.16.56.0 ip which is my head office ip.

i am workign from home and connected through VPN client and i get a ip range of 172.16.55.X i can conect to the server which is 172.31.179.77 ( which is sitting in location where pix is )
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24060737
oh i see now.. you are using vpn access. this should explain why do you have this problem http://www.experts-exchange.com/Security/Misc/Q_21568428.html.

 i suppose the rdp issue occueres only when you connected with vpn. you need to use this command:

sysopt connection permit-ipsec



0
 

Author Comment

by:ammartahir1978
ID: 24061375
but my question is that it was working absolutely fine and i havent changed anything on firewall, secondly i can connect through vpn connection but why can't i access it with in my net work.

i cant ping my file servr from site and neither do i can ping site from file server.

so there is some which is gone wrong
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24062841
alright i've probably misunderstood you, sry.  let me see if i'm getting the picture now. you use remote vpn connection from home to your HO and login to one of the servers in 172.31.179.64 network. from there you are trying telnet or ssh to your pix and it is no working!?! from the configurations i see no reason for that!

do you mean it happens only when you connected through vpn or also when you physically in 172.31.179.64 network. in which network is your file server? is there are router between your site (from where you ping) and the file server?
0
 

Author Comment

by:ammartahir1978
ID: 24062953
okay i will explain step by step.

HO Network 172.16.56.0
VPN network 172.16.55.0
Site network is 172.31.179.64

Now i am in home and i connect my vpn client to HO so i get 172.16.55.X ip address on my laptop, now when i RDP on to 172.31.179.77 (server) i can easily get on to it.

now when i try to conect to site from my HO office file (172.16.56.10)server i can not ping the site.
what i am trying to fix is with in the network site should bebe pingable is (HO file server should ping site) but it is not right now.

hope this help
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24063350
where is your HO network? on the inside of the PIX? show it is routed between Site network and HO?
0
 

Author Comment

by:ammartahir1978
ID: 24064447
if you see the configuration i have posted on line 26 is HO and 27 VPN
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24065190
well it is bit confusing because i see line "telnet 172.16.56.0 255.255.255.0 inside" and your crypto configuration isn't complete i guess you deleted some lines but i was not sure which ones exactly.

so basically your HO and VPN network are on the oter side of the tunnel and you are able  to get RDP into Site network from VPN network but it can't be done from HO. thats really odd since they are using the same tunnel.

i would really enable "sysopt connection permit-ipsec"
reset the tunnel: "clear crypto sa", sometimes it hangs. you might consider setting keepalives
0
 

Author Comment

by:ammartahir1978
ID: 24066419
okay i have already got sysopt connection permit-ipsec
reset the tunnel ? how to do it and on which pix Site or HO?
and keepalives where shall i use it site/HO?

please let me know step by step.

just to let you know that i have checked the connection in HO firewall and i can see its connected to the site.

thanks
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24066721
here step-by-step how to reestablish the tunnel:
https://supportwiki.cisco.com/ViewWiki/index.php/How_to_re-establish_an_IPSec_tunnel_on_a_PIX_Firewall_after_it_disconnects

the command to enable keepalives on the tunnel is:
isakmp keepalive ... (values how often they should be send)
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:ammartahir1978
ID: 24066940
tried no solved :(
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24067019
but it's been working once, right? can you confirm now that the tunnel is up.
sh crypto ipsec  sa
sh crypto isakm sa
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 24067089
Can you post your crypto map statements from the config?
I would expect to see something like:

crypto map VPN 60 set transform-set ESP-AES-256-MD5
crypto map VPN 60 set peer <TOWHS IP>
crypto map VPN 60 match address TOWHS

0
 

Author Comment

by:ammartahir1978
ID: 24067134
Here you go


Crypto Map: "VPN" interfaces: { outside }

Crypto Map "VPN" 20 ipsec-isakmp
        Peer = XX.XXX.XXX.xX
        access-list TOWHS; 2 elements
        access-list TOWHS line 1 permit ip 172.31.179.64 255.255.255.240 172.16.56.0 255.255.255.0 (hitcnt=7542)
        access-list TOWHS line 2 permit ip 172.31.179.64 255.255.255.240 172.16.55.0 255.255.255.0 (hitcnt=336)
        Current peer: XX.XXX.XXX.XX
        Security association lifetime: 4608000 kilobytes/28800 seconds
        PFS (Y/N): N
        Transform sets={ ESP-AES-256-MD5, }

Crypto Map "VPN" 40 ipsec-isakmp
        Peer = 212.169.5.170
        access-list TODAYLESFORD; 1 elements
        access-list TODAYLESFORD line 1 permit ip 172.31.179.64 255.255.255.240 172.31.177.0 255.255.255.0 (hitcnt=0)
        Current peer:XXX.XX.XXX.XX
        Security association lifetime: 4608000 kilobytes/28800 seconds
        PFS (Y/N): N
        Transform sets={ ESP-AES-256-MD5, }

Crypto Map "VPN" 60 ipsec-isakmp
        Peer = XX.XXX.XX.XX        access-list TOPIMLICO; 1 elements
        access-list TOPIMLICO line 1 permit ip 172.31.179.64 255.255.255.240 172.31.179.128 255.255.255.224 (hitcnt=23)
        Current peer: XX.XXX.XX.XX
        Security association lifetime: 4608000 kilobytes/28800 seconds
        PFS (Y/N): N
        Transform sets={ ESP-AES-256-MD5, }
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24067225
Can you post the configuration from the HO site? is HO the same as TOWHS ?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24067235
I just re-read this thread and it sounds like you are trying to VPN into the HO and then access a host across the L2L VPN tunnel to another peer? You cannot do that.
0
 

Author Comment

by:ammartahir1978
ID: 24067308
hi Irmoore,

okay let me explain again,

my HO ( which is 172.16.56.0 255.255.255.0)
and my site which is PIMLICO (172.31.179.XX 255.255.255.240)
PImlico site is connect to my HO through a VPN tunnel which is connected., now the problem i am having is i can not connect to the pimlico site from HO even through the VPN tunnel is UP??

on the other hand if i access pimlico site from my home i can RDP in to the server on pimlico site. which is very ODD,.

now when any user in my office connect to HO from HOME through VPN client they get a ip address of
172.16.55.X. now i can RDP on to PImlico server from home through VPN client conencted, but when in HO i can not access pimlico site.

hope this explain

0
 

Author Comment

by:ammartahir1978
ID: 24067324
just to let you know that this was working perfectly fine before it just suddenly stopped working.
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24075947
basically your HO network suddenly stopped reaching PImlico network over the tunnel. do tracert to PImlico from any host on HO. check the syslog on the other vpn device. if it is other pix you should be able to receive the reason why the traffic from 172.16.56.0 doesn't reach 172.31.179.64
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24077426
>was working perfectly fine before it just suddenly stopped working.
Things just don't suddenly stop working unless something changes. What changed?
0
 

Author Comment

by:ammartahir1978
ID: 24129199
Hi Irmoore,

Things do stop sometime suddenly, i have sorted the pix now it was a bug so i have to upgrade my ASA version after which things are fine.

but now i have same issue with another PIX on another site.

how can i fix that? is there a newer version for pix 6.3(5) 501 available.

Thank you
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24129226

6.3(5) is the latest available for the PIX 501
0
 

Author Comment

by:ammartahir1978
ID: 24129284
thank you Irmoore what can be wrong then
i can access the site when i connect through VPN client from home but when i am with in company network we can access it.

any idea?

thank you
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now