how to check the log of a pix and trouble shoot

hi everyone,

i have a pix 501 which i can see from my computer when i am connected through vpn client to my HO, but when i try to connect to this pix or server from HO i can not either ping or RDP on to the server or telnet onto pix.

i still have access from home to that pix and server but not from HO.

how can i fix this or see where the problem lies.

please help
Who is Participating?
Can you post your crypto map statements from the config?
I would expect to see something like:

crypto map VPN 60 set transform-set ESP-AES-256-MD5
crypto map VPN 60 set peer <TOWHS IP>
crypto map VPN 60 match address TOWHS

to check why you can't telnet to the pix from your HO. check if you have allowed telnet from inside interface. the line in config should be something like:
telnet <inside network> <network mask> inside

i see no reason th pix to prevent you connecting inside server over RDP from your inside network since the traffic even doesn't pass across the pix.
ammartahir1978Author Commented:
hi this is my pix configuration please have a look and let me know if there is anything odd
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password s8IthzhjHyXqtyf5 encrypted
passwd s8IthzhjHyXqtyf5 encrypted
hostname PIMLICO-GR
domain-name Bamford-ltd.local
fixup protocol dns maximum-length 1500
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inbound permit icmp any any echo-reply
access-list NONAT permit ip 255.255.25
access-list NONAT permit ip 255.255.25
access-list NONAT permit ip 255.255.2
access-list NONAT permit ip 255.255
access-list TOWHS permit ip 255.255.25
access-list TOWHS permit ip 255.255.25
access-list TODAYLESFORD permit ip 25
access-list TOPIMLICO permit ip 255
pager lines 24
logging on
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0 0
access-group inbound in interface outside
route outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto map VPN 60 set transform-set ESP-AES-256-MD5
crypto map VPN interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash md5
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
telnet inside
telnet inside
telnet timeout 5
ssh inside
ssh inside
ssh inside
ssh timeout 5
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750

Open in new window

Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.


you should be able to login on your pix using telnet or ssh from and network. i see no reason not to.

regarding your rdp issue. can you tell me from which pc to which server you can do the connection. i need the ip addresses.
ammartahir1978Author Commented:
okay can not do telnet from ip which is my head office ip.

i am workign from home and connected through VPN client and i get a ip range of 172.16.55.X i can conect to the server which is ( which is sitting in location where pix is )
oh i see now.. you are using vpn access. this should explain why do you have this problem

 i suppose the rdp issue occueres only when you connected with vpn. you need to use this command:

sysopt connection permit-ipsec

ammartahir1978Author Commented:
but my question is that it was working absolutely fine and i havent changed anything on firewall, secondly i can connect through vpn connection but why can't i access it with in my net work.

i cant ping my file servr from site and neither do i can ping site from file server.

so there is some which is gone wrong
alright i've probably misunderstood you, sry.  let me see if i'm getting the picture now. you use remote vpn connection from home to your HO and login to one of the servers in network. from there you are trying telnet or ssh to your pix and it is no working!?! from the configurations i see no reason for that!

do you mean it happens only when you connected through vpn or also when you physically in network. in which network is your file server? is there are router between your site (from where you ping) and the file server?
ammartahir1978Author Commented:
okay i will explain step by step.

HO Network
VPN network
Site network is

Now i am in home and i connect my vpn client to HO so i get 172.16.55.X ip address on my laptop, now when i RDP on to (server) i can easily get on to it.

now when i try to conect to site from my HO office file ( i can not ping the site.
what i am trying to fix is with in the network site should bebe pingable is (HO file server should ping site) but it is not right now.

hope this help
where is your HO network? on the inside of the PIX? show it is routed between Site network and HO?
ammartahir1978Author Commented:
if you see the configuration i have posted on line 26 is HO and 27 VPN
well it is bit confusing because i see line "telnet inside" and your crypto configuration isn't complete i guess you deleted some lines but i was not sure which ones exactly.

so basically your HO and VPN network are on the oter side of the tunnel and you are able  to get RDP into Site network from VPN network but it can't be done from HO. thats really odd since they are using the same tunnel.

i would really enable "sysopt connection permit-ipsec"
reset the tunnel: "clear crypto sa", sometimes it hangs. you might consider setting keepalives
ammartahir1978Author Commented:
okay i have already got sysopt connection permit-ipsec
reset the tunnel ? how to do it and on which pix Site or HO?
and keepalives where shall i use it site/HO?

please let me know step by step.

just to let you know that i have checked the connection in HO firewall and i can see its connected to the site.

here step-by-step how to reestablish the tunnel:

the command to enable keepalives on the tunnel is:
isakmp keepalive ... (values how often they should be send)
ammartahir1978Author Commented:
tried no solved :(
but it's been working once, right? can you confirm now that the tunnel is up.
sh crypto ipsec  sa
sh crypto isakm sa
ammartahir1978Author Commented:
Here you go

Crypto Map: "VPN" interfaces: { outside }

Crypto Map "VPN" 20 ipsec-isakmp
        Peer = XX.XXX.XXX.xX
        access-list TOWHS; 2 elements
        access-list TOWHS line 1 permit ip (hitcnt=7542)
        access-list TOWHS line 2 permit ip (hitcnt=336)
        Current peer: XX.XXX.XXX.XX
        Security association lifetime: 4608000 kilobytes/28800 seconds
        PFS (Y/N): N
        Transform sets={ ESP-AES-256-MD5, }

Crypto Map "VPN" 40 ipsec-isakmp
        Peer =
        access-list TODAYLESFORD; 1 elements
        access-list TODAYLESFORD line 1 permit ip (hitcnt=0)
        Current peer:XXX.XX.XXX.XX
        Security association lifetime: 4608000 kilobytes/28800 seconds
        PFS (Y/N): N
        Transform sets={ ESP-AES-256-MD5, }

Crypto Map "VPN" 60 ipsec-isakmp
        Peer = XX.XXX.XX.XX        access-list TOPIMLICO; 1 elements
        access-list TOPIMLICO line 1 permit ip (hitcnt=23)
        Current peer: XX.XXX.XX.XX
        Security association lifetime: 4608000 kilobytes/28800 seconds
        PFS (Y/N): N
        Transform sets={ ESP-AES-256-MD5, }
Can you post the configuration from the HO site? is HO the same as TOWHS ?
I just re-read this thread and it sounds like you are trying to VPN into the HO and then access a host across the L2L VPN tunnel to another peer? You cannot do that.
ammartahir1978Author Commented:
hi Irmoore,

okay let me explain again,

my HO ( which is
and my site which is PIMLICO (172.31.179.XX
PImlico site is connect to my HO through a VPN tunnel which is connected., now the problem i am having is i can not connect to the pimlico site from HO even through the VPN tunnel is UP??

on the other hand if i access pimlico site from my home i can RDP in to the server on pimlico site. which is very ODD,.

now when any user in my office connect to HO from HOME through VPN client they get a ip address of
172.16.55.X. now i can RDP on to PImlico server from home through VPN client conencted, but when in HO i can not access pimlico site.

hope this explain

ammartahir1978Author Commented:
just to let you know that this was working perfectly fine before it just suddenly stopped working.
basically your HO network suddenly stopped reaching PImlico network over the tunnel. do tracert to PImlico from any host on HO. check the syslog on the other vpn device. if it is other pix you should be able to receive the reason why the traffic from doesn't reach
>was working perfectly fine before it just suddenly stopped working.
Things just don't suddenly stop working unless something changes. What changed?
ammartahir1978Author Commented:
Hi Irmoore,

Things do stop sometime suddenly, i have sorted the pix now it was a bug so i have to upgrade my ASA version after which things are fine.

but now i have same issue with another PIX on another site.

how can i fix that? is there a newer version for pix 6.3(5) 501 available.

Thank you

6.3(5) is the latest available for the PIX 501
ammartahir1978Author Commented:
thank you Irmoore what can be wrong then
i can access the site when i connect through VPN client from home but when i am with in company network we can access it.

any idea?

thank you
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.