telnet, ssh, and vpn fail on completely open pix

15 pts.
Tags:
Firewalls
Forensics
Incident response
Intrusion management
Network security
VPN
Wireless
We are setting up a pix internally in our net. The network behind it is a private range but we aren't doing NAT. The outside address is public and we want external users to VPN to it to reach the private net. My management station is outside of the firewall and I can manage the pix with HTTPS but I can't telnet or SSH to it. It doesn't even ask for a user name. The VPN client also times out. Currently, the ruleset is completely open. I tried to make the VPN configuration match our main, working pix, but the version is slightly different. Any suggestions? Thanks. Here is the access list, I can also supply the crypto rules if asked: access-list outside_access_in extended permit ip any any access-list inside_access_in extended permit ip any any access-list outside_access_out extended permit ip any any access-list inside_access_out extended permit ip any any access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 any access-list outside_cryptomap_dyn_20 extended permit ip any any ip local pool our-pool 172.16.1.240-172.16.1.247 mask 255.255.255.248 nat (inside) 0 access-list inside_nat0_outbound access-group inside_access_in in interface inside access-group inside_access_out out interface inside access-group outside_access_in in interface outside access-group outside_access_out out interface outside route outside 0.0.0.0 0.0.0.0 xxx.yyy.abc.def 1
ASKED: October 3, 2006  6:09 PM
UPDATED: October 9, 2006  6:08 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

I figured out the SSH part, had to generate a key.
Still working on the VPN. Here is more of the config:
PIX Version 7.0(1)
aaa-server radiusserver protocol radius
reactivation-mode depletion deadtime 60
max-failed-attempts 5
aaa-server radiusserver host 172.16.1.130
key ourradius
aaa-server radiusserver host 172.16.1.131
key ourradius
http server enable
http 172.16.1.20 255.255.255.255 inside
http 172.16.1.5 255.255.255.255 inside
http xxx.yyy.zzz.aaa 255.255.255.255 outside
crypto ipsec transform-set ESP-AES-192-SHA esp-3des esp-none
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet xxx.yyy.zzz.aaa 255.255.255.255 outside
telnet timeout 5
ssh xxx.yyy.zzz.aaa 255.255.255.255 outside
ssh timeout 5
tunnel-group ourvpn type ipsec-ra
tunnel-group ourvpn general-attributes
address-pool our-pool
authentication-server-group (outside) radiusserver
authentication-server-group (inside) radiusserver
default-group-policy our-vpn
tunnel-group ourvpn ipsec-attributes
pre-shared-key *

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Croque06
    I will highly recommend you change the following: access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 any to access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 172.16.1.0 255.255.255.0 ip local pool our-pool 172.16.1.240-172.16.1.247 mask 255.255.255.248 to ip local pool our-pool 172.16.1.240-172.16.1.247 mask 255.255.255.0 Now, is the remote client user able to connect to inside net?. Does the remote client times out after no activity? Carlos
    0 pointsBadges:
    report
  • Astronomer
    Carlos: Thanks for the suggestion. I had tried the 255.255.255.0 mask earlier in my experiments. After setting both variables to your suggestions there was no change in the VPN client behavior. The popup error message after timeout actually says: Secure VPN connection terminated locally by the client. Reason: The remote peer is no longer responding. Since I can SSH now, I'm going to try some debug commands and see if I have any visibility on the problem. rt
    15 pointsBadges:
    report
  • Astronomer
    I figured out the problem. The config was missing the command "isakmp enable outside". I missed this when I compared it to our main pix and didn't know about it in the gui. I stumbled over it in the gui a few minutes ago and now I can establish VPN connections. In the gui it's under configuration/vpn/ike/global parameters. IKE needs to be enabled for the outer interface. Thanks Carlos. I appreciate the responses. This has taken over a week to figure out. rt
    15 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following