how to check the log of a pix and trouble shoot
hi everyone,
i have a pix 501 which i can see from my computer when i am connected through vpn client to my HO, but when i try to connect to this pix or server from HO i can not either ping or RDP on to the server or telnet onto pix.
i still have access from home to that pix and server but not from HO.
how can i fix this or see where the problem lies.
please help
i have a pix 501 which i can see from my computer when i am connected through vpn client to my HO, but when i try to connect to this pix or server from HO i can not either ping or RDP on to the server or telnet onto pix.
i still have access from home to that pix and server but not from HO.
how can i fix this or see where the problem lies.
please help
ASKER
hi this is my pix configuration please have a look and let me know if there is anything odd
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password s8IthzhjHyXqtyf5 encrypted
passwd s8IthzhjHyXqtyf5 encrypted
hostname PIMLICO-GR
domain-name Bamford-ltd.local
fixup protocol dns maximum-length 1500
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit icmp any any echo-reply
access-list NONAT permit ip 172.31.179.64 255.255.255.240 172.16.56.0 255.255.25
5.0
access-list NONAT permit ip 172.31.179.64 255.255.255.240 172.16.55.0 255.255.25
5.0
access-list NONAT permit ip 172.31.179.64 255.255.255.240 172.31.177.0 255.255.2
55.0
access-list NONAT permit ip 172.31.179.64 255.255.255.240 172.31.179.128 255.255
.255.224
access-list TOWHS permit ip 172.31.179.64 255.255.255.240 172.16.56.0 255.255.25
5.0
access-list TOWHS permit ip 172.31.179.64 255.255.255.240 172.16.55.0 255.255.25
5.0
access-list TODAYLESFORD permit ip 172.31.179.64 255.255.255.240 172.31.177.0 25
5.255.255.0
access-list TOPIMLICO permit ip 172.31.179.64 255.255.255.240 172.31.179.128 255
.255.255.224
pager lines 24
logging on
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 255.255.255.248
ip address inside 172.31.179.78 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
pdm location 172.31.179.64 255.255.255.240 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 172.16.56.0 255.255.255.0 inside
http 172.31.179.64 255.255.255.240 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto map VPN 60 set transform-set ESP-AES-256-MD5
crypto map VPN interface outside
isakmp enable outside
fig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash md5
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
telnet 172.31.179.64 255.255.255.240 inside
telnet 172.16.56.0 255.255.255.0 inside
telnet timeout 5
ssh 172.16.56.0 255.255.255.0 inside
ssh 172.31.179.64 255.255.255.240 inside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
PIMLICO-GR#
ok,
you should be able to login on your pix using telnet or ssh from 172.31.179.64/28 and 172.16.56.0/24 network. i see no reason not to.
regarding your rdp issue. can you tell me from which pc to which server you can do the connection. i need the ip addresses.
you should be able to login on your pix using telnet or ssh from 172.31.179.64/28 and 172.16.56.0/24 network. i see no reason not to.
regarding your rdp issue. can you tell me from which pc to which server you can do the connection. i need the ip addresses.
ASKER
okay can not do telnet from 172.16.56.0 ip which is my head office ip.
i am workign from home and connected through VPN client and i get a ip range of 172.16.55.X i can conect to the server which is 172.31.179.77 ( which is sitting in location where pix is )
i am workign from home and connected through VPN client and i get a ip range of 172.16.55.X i can conect to the server which is 172.31.179.77 ( which is sitting in location where pix is )
oh i see now.. you are using vpn access. this should explain why do you have this problem https://www.experts-exchange.com/questions/21568428/Getting-VPN-clients-to-telnet-PIX.html.
i suppose the rdp issue occueres only when you connected with vpn. you need to use this command:
sysopt connection permit-ipsec
i suppose the rdp issue occueres only when you connected with vpn. you need to use this command:
sysopt connection permit-ipsec
ASKER
but my question is that it was working absolutely fine and i havent changed anything on firewall, secondly i can connect through vpn connection but why can't i access it with in my net work.
i cant ping my file servr from site and neither do i can ping site from file server.
so there is some which is gone wrong
i cant ping my file servr from site and neither do i can ping site from file server.
so there is some which is gone wrong
alright i've probably misunderstood you, sry. let me see if i'm getting the picture now. you use remote vpn connection from home to your HO and login to one of the servers in 172.31.179.64 network. from there you are trying telnet or ssh to your pix and it is no working!?! from the configurations i see no reason for that!
do you mean it happens only when you connected through vpn or also when you physically in 172.31.179.64 network. in which network is your file server? is there are router between your site (from where you ping) and the file server?
do you mean it happens only when you connected through vpn or also when you physically in 172.31.179.64 network. in which network is your file server? is there are router between your site (from where you ping) and the file server?
ASKER
okay i will explain step by step.
HO Network 172.16.56.0
VPN network 172.16.55.0
Site network is 172.31.179.64
Now i am in home and i connect my vpn client to HO so i get 172.16.55.X ip address on my laptop, now when i RDP on to 172.31.179.77 (server) i can easily get on to it.
now when i try to conect to site from my HO office file (172.16.56.10)server i can not ping the site.
what i am trying to fix is with in the network site should bebe pingable is (HO file server should ping site) but it is not right now.
hope this help
HO Network 172.16.56.0
VPN network 172.16.55.0
Site network is 172.31.179.64
Now i am in home and i connect my vpn client to HO so i get 172.16.55.X ip address on my laptop, now when i RDP on to 172.31.179.77 (server) i can easily get on to it.
now when i try to conect to site from my HO office file (172.16.56.10)server i can not ping the site.
what i am trying to fix is with in the network site should bebe pingable is (HO file server should ping site) but it is not right now.
hope this help
where is your HO network? on the inside of the PIX? show it is routed between Site network and HO?
ASKER
if you see the configuration i have posted on line 26 is HO and 27 VPN
well it is bit confusing because i see line "telnet 172.16.56.0 255.255.255.0 inside" and your crypto configuration isn't complete i guess you deleted some lines but i was not sure which ones exactly.
so basically your HO and VPN network are on the oter side of the tunnel and you are able to get RDP into Site network from VPN network but it can't be done from HO. thats really odd since they are using the same tunnel.
i would really enable "sysopt connection permit-ipsec"
reset the tunnel: "clear crypto sa", sometimes it hangs. you might consider setting keepalives
so basically your HO and VPN network are on the oter side of the tunnel and you are able to get RDP into Site network from VPN network but it can't be done from HO. thats really odd since they are using the same tunnel.
i would really enable "sysopt connection permit-ipsec"
reset the tunnel: "clear crypto sa", sometimes it hangs. you might consider setting keepalives
ASKER
okay i have already got sysopt connection permit-ipsec
reset the tunnel ? how to do it and on which pix Site or HO?
and keepalives where shall i use it site/HO?
please let me know step by step.
just to let you know that i have checked the connection in HO firewall and i can see its connected to the site.
thanks
reset the tunnel ? how to do it and on which pix Site or HO?
and keepalives where shall i use it site/HO?
please let me know step by step.
just to let you know that i have checked the connection in HO firewall and i can see its connected to the site.
thanks
here step-by-step how to reestablish the tunnel:
https://supportwiki.cisco.com/ViewWiki/index.php/How_to_re-establish_an_IPSec_tunnel_on_a_PIX_Firewall_after_it_disconnects
the command to enable keepalives on the tunnel is:
isakmp keepalive ... (values how often they should be send)
https://supportwiki.cisco.com/ViewWiki/index.php/How_to_re-establish_an_IPSec_tunnel_on_a_PIX_Firewall_after_it_disconnects
the command to enable keepalives on the tunnel is:
isakmp keepalive ... (values how often they should be send)
ASKER
tried no solved :(
but it's been working once, right? can you confirm now that the tunnel is up.
sh crypto ipsec sa
sh crypto isakm sa
sh crypto ipsec sa
sh crypto isakm sa
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here you go
Crypto Map: "VPN" interfaces: { outside }
Crypto Map "VPN" 20 ipsec-isakmp
Peer = XX.XXX.XXX.xX
access-list TOWHS; 2 elements
access-list TOWHS line 1 permit ip 172.31.179.64 255.255.255.240 172.16.56.0 255.255.255.0 (hitcnt=7542)
access-list TOWHS line 2 permit ip 172.31.179.64 255.255.255.240 172.16.55.0 255.255.255.0 (hitcnt=336)
Current peer: XX.XXX.XXX.XX
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ ESP-AES-256-MD5, }
Crypto Map "VPN" 40 ipsec-isakmp
Peer = 212.169.5.170
access-list TODAYLESFORD; 1 elements
access-list TODAYLESFORD line 1 permit ip 172.31.179.64 255.255.255.240 172.31.177.0 255.255.255.0 (hitcnt=0)
Current peer:XXX.XX.XXX.XX
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ ESP-AES-256-MD5, }
Crypto Map "VPN" 60 ipsec-isakmp
Peer = XX.XXX.XX.XX access-list TOPIMLICO; 1 elements
access-list TOPIMLICO line 1 permit ip 172.31.179.64 255.255.255.240 172.31.179.128 255.255.255.224 (hitcnt=23)
Current peer: XX.XXX.XX.XX
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ ESP-AES-256-MD5, }
Crypto Map: "VPN" interfaces: { outside }
Crypto Map "VPN" 20 ipsec-isakmp
Peer = XX.XXX.XXX.xX
access-list TOWHS; 2 elements
access-list TOWHS line 1 permit ip 172.31.179.64 255.255.255.240 172.16.56.0 255.255.255.0 (hitcnt=7542)
access-list TOWHS line 2 permit ip 172.31.179.64 255.255.255.240 172.16.55.0 255.255.255.0 (hitcnt=336)
Current peer: XX.XXX.XXX.XX
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ ESP-AES-256-MD5, }
Crypto Map "VPN" 40 ipsec-isakmp
Peer = 212.169.5.170
access-list TODAYLESFORD; 1 elements
access-list TODAYLESFORD line 1 permit ip 172.31.179.64 255.255.255.240 172.31.177.0 255.255.255.0 (hitcnt=0)
Current peer:XXX.XX.XXX.XX
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ ESP-AES-256-MD5, }
Crypto Map "VPN" 60 ipsec-isakmp
Peer = XX.XXX.XX.XX access-list TOPIMLICO; 1 elements
access-list TOPIMLICO line 1 permit ip 172.31.179.64 255.255.255.240 172.31.179.128 255.255.255.224 (hitcnt=23)
Current peer: XX.XXX.XX.XX
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ ESP-AES-256-MD5, }
Can you post the configuration from the HO site? is HO the same as TOWHS ?
I just re-read this thread and it sounds like you are trying to VPN into the HO and then access a host across the L2L VPN tunnel to another peer? You cannot do that.
ASKER
hi Irmoore,
okay let me explain again,
my HO ( which is 172.16.56.0 255.255.255.0)
and my site which is PIMLICO (172.31.179.XX 255.255.255.240)
PImlico site is connect to my HO through a VPN tunnel which is connected., now the problem i am having is i can not connect to the pimlico site from HO even through the VPN tunnel is UP??
on the other hand if i access pimlico site from my home i can RDP in to the server on pimlico site. which is very ODD,.
now when any user in my office connect to HO from HOME through VPN client they get a ip address of
172.16.55.X. now i can RDP on to PImlico server from home through VPN client conencted, but when in HO i can not access pimlico site.
hope this explain
okay let me explain again,
my HO ( which is 172.16.56.0 255.255.255.0)
and my site which is PIMLICO (172.31.179.XX 255.255.255.240)
PImlico site is connect to my HO through a VPN tunnel which is connected., now the problem i am having is i can not connect to the pimlico site from HO even through the VPN tunnel is UP??
on the other hand if i access pimlico site from my home i can RDP in to the server on pimlico site. which is very ODD,.
now when any user in my office connect to HO from HOME through VPN client they get a ip address of
172.16.55.X. now i can RDP on to PImlico server from home through VPN client conencted, but when in HO i can not access pimlico site.
hope this explain
ASKER
just to let you know that this was working perfectly fine before it just suddenly stopped working.
basically your HO network suddenly stopped reaching PImlico network over the tunnel. do tracert to PImlico from any host on HO. check the syslog on the other vpn device. if it is other pix you should be able to receive the reason why the traffic from 172.16.56.0 doesn't reach 172.31.179.64
>was working perfectly fine before it just suddenly stopped working.
Things just don't suddenly stop working unless something changes. What changed?
Things just don't suddenly stop working unless something changes. What changed?
ASKER
Hi Irmoore,
Things do stop sometime suddenly, i have sorted the pix now it was a bug so i have to upgrade my ASA version after which things are fine.
but now i have same issue with another PIX on another site.
how can i fix that? is there a newer version for pix 6.3(5) 501 available.
Thank you
Things do stop sometime suddenly, i have sorted the pix now it was a bug so i have to upgrade my ASA version after which things are fine.
but now i have same issue with another PIX on another site.
how can i fix that? is there a newer version for pix 6.3(5) 501 available.
Thank you
6.3(5) is the latest available for the PIX 501
ASKER
thank you Irmoore what can be wrong then
i can access the site when i connect through VPN client from home but when i am with in company network we can access it.
any idea?
thank you
i can access the site when i connect through VPN client from home but when i am with in company network we can access it.
any idea?
thank you
telnet <inside network> <network mask> inside
i see no reason th pix to prevent you connecting inside server over RDP from your inside network since the traffic even doesn't pass across the pix.