1. Home
  2. Cisco Systems
  3. telnet access to console server (PIX problem)

telnet access to console server (PIX problem)

Guys,

I am having little bit of problem with my config. just need someone to help me.

I have got console servers behind my PIX, which is connected to few routers, switches & servers. I am trying to access console server by telnet and it's not responding however I can ping from PIX firewall but not from outside host (170). I tried assigning public IP directly connecting to my switch where my PIX's outside interface is connected and it works fine but the moment I assignee private IP and connect them behind firewall I can't access. As you can see I have configured static, access-list and access group. Console servers has got default route pointing to 172.16.2.1 . But I think I made silly mistake and can't figure pout what hence need expert's advice.

Can some one please suggest?

Thanks

PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto interface ethernet3 auto interface ethernet4 auto shutdown interface ethernet5 auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif ethernet3 console security40 nameif ethernet4 intf4 security30 nameif ethernet5 intf5 security10 hostname pix domain-name cisco.com access-list letmein permit tcp host ***.***.***.170 any eq 5900 access-list letmein permit tcp ***.***.***.136 255.255.255.*** any eq

5900 access-list letmein permit tcp host ***.***.***.170 host ***.***.***.201 eq telnet access-list letmein permit tcp host ***.***.***.170 host ***.***.***.202 eq telnet access-list letmein permit tcp host ***.***.***.170 any eq ftp pager lines 24 logging on logging timestamp logging buffered alerts logging trap debugging logging facility 16 logging host inside 10.0.0.18 icmp permit any echo outside icmp permit any echo-reply outside icmp deny any echo inside icmp deny any echo-reply inside icmp deny any echo dmz icmp deny any echo-reply dmz icmp permit any echo console icmp permit any echo-reply console ip address outside ***.***.***.203 255.255.255.224 ip address inside 10.0.0.1 255.255.255.240 ip address dmz 192.168.1.100 255.255.255.0 ip address console 172.16.2.1 255.255.255.0 global (outside) 1 interface global (dmz) 1 192.168.1.1-192.168.1.99 netmask 255.255.255.0 nat (inside) 1 10.0.0.0 255.255.255.0 0 0 static (inside,outside) tcp interface 5900 10.0.0.18 5900 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface ftp 10.0.0.18 ftp netmask 255.255.255.255 0 0 static (console,outside) tcp ***.***.***.202 telnet 172.16.2.2 telnet netmask 255.255.255.255 0 0 static (console,outside) tcp ***.***.***.201 telnet 172.16.2.3 telnet netmask 255.255.255.255 0 0 access-group letmein in interface outside route outside 0.0.0.0 0.0.0.0 ***.***.***.197 1 route inside 10.0.0.0 255.255.255.0 10.0.0.2 1
Reply to
Rits
Loading thread data ...

You are missing: telnet 172.16.2.0 255.255.255.0 console which allows telnet connection from your console interface.

Doan

Reply to
Doan

I am not trying to access PIX from console server. I am trying to TELNET console server which is connected to my internal Routers, Switches & Servers not PIX.

Reply to
riteshthakker

Ok here is the debug output

111008: User 'enable_15' executed the 'terminal mon' command. 609001: Built local-host console:172.16.2.3 305011: Built static TCP translation from console:172.16.2.3/23 to outside:***.***.***.201/23 302013: Built inbound TCP connection 140 for outside:***.***.***.170/1087 (***.***.***.170/1087) to console:172.16.2.3/23 (***.***.***.201/23) 1 in use, 12 most used

PAT Global ***.***.***.201(23) Local 172.16.2.3(23)

111009: User 'enable_15' executed cmd: show xlate pix(config)# pix(config)# pix(config)# xlate 302014: Teardown TCP connection 140 for outside:***.***.***.170/1087 to console:172.16.2.3/23 duration 0:01:06 bytes 0 Xlate Clear 305012: Teardown static TCP translation from console:172.16.2.3/23 to outside:***.***.***.201/23 duration 0:01:06 609002: Teardown local-host console:172.16.2.3 duration 0:01:06 111008: User 'enable_15' executed the 'clear xlate' command.

609001: Built local-host console:172.16.2.2

305011: Built static TCP translation from console:172.16.2.2/23 to outside:***.***.***.202/23 302013: Built inbound TCP connection 141 for outside:***.***.***.170/1088 (80.229.18.70/1088) to console:172.16.2.2/23 (***.***.***.202/23)

1 in use, 12 most used PAT Global ***.***.***.202(23) Local 172.16.2.2(23)

111009: User 'enable_15' executed cmd: show xlate

302014: Teardown TCP connection 141 for outside:***.***.***.70/1088 to console:172.16.2.2/23 duration 0:02:01 bytes 0 SYN Timeout

305012: Teardown static TCP translation from console:172.16.2.2/23 to outside:***.***.***.202/23 duration 0:02:06

My outside IP address is ***.***.***.203 255.255.255.224. my console servers are ***.***.***.201 & ***.***.***.202, which is part of same subnet. my subnet is ***.***.***.192 and brodcast is ***.***.***.223. so my my default gatway ***.***.***.197 also part of same address range.

Reply to
Rits

as advised earlier i have removed PAT.

static (console,outside) ***.***.***.202 172.16.2.2 netmask

255.255.255.255 0 0 static (console,outside) ***.***.***.201 172.16.2.3 netmask 255.255.255.255 0 0
Reply to
riteshthakker

put in "logging moni deb" and in conf t mode give "term mon" during your telnet access tries.

I would not set up PAT when you have unique IPs, so remove the two static and add: static (console,outside) ***.***.***.202 172.16.2.2 netmask 255.255.255.255

0 0 static (console,outside) ***.***.***.201 172.16.2.3 netmask 255.255.255.255 0 0

Remember to give "clear xlate" whenever you make any changes, and observe your monitor output for any hints on what goes wrong. you might also want to look out for any builds that closes during timeout with no data in session, which would indicate that something else inbetween console interface and AccessServer that might block the telnet and FTP.

HTH Martin Bilgrav

Reply to
Martin Bilgrav

also please make sure tyhat you telnet from the outside interface to the IP xxx.xxx.xxx.201 and .202, which I asumes are in the same range as your PIX outside interface.

Reply to
Martin Bilgrav

HI Martin,

I don't think it is to do with console server and to prove i have done following tests;

1)I done this earlier as well. Assigned public IP 201 & 202respectively to both the console servers and changed default gateway to 197 and connected directly to switch which connects to my ISP and guess what i could telnet straightaway from any public IP.

2)One more test to prove nothing wrong with console server. I assigned ip address 172.16.2.5 and default g/w 172.16.2.1 to my laptop and connected directly to switch which connects PIX (console interface) & both the console servers. Then from laptop I manage to telnet console server . Next I configured PIX to accept telnet connection form console server and i could telnet PIX from console server as well. Which shows that there can't be 3way tcp handshake issue it could be something to do with STATIC translation ?

So this test proves that nothing wrong with console server it seems something is still missing in the pix config ? Agree???

Thanks,

Rits

Reply to
riteshthakker
302014: Teardown TCP connection 141 for outside:***.***.***.70/1088 to console:172.16.2.2/23 duration 0:02:01 bytes 0 SYN Timeout

tells you that there is SYN timeout in your 3way tcp handshake means that your server doesnt make the connection or the ACK packet never finds it way back to the PIX, and later the client

i.e. your problem is not your PIX cfg. Check service is running check routes on server (netstat -rnv) check filters inbetween server and pix interface.

HTH Martin

Reply to
Martin Bilgrav

Check it. One of this is your problem.

"in the Wild" on the internet - This senario doesnt exclude any issues on your LAN. Just proves that your ISP works.

If you have gateway or routing problem or filterproblem, having a directly connected host does not test this.

No

Reply to
Martin Bilgrav

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.