Community discussions

MUM Europe 2020
 
jd6strings
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 73
Joined: Tue Dec 20, 2005 8:24 pm

VPN - Mikrotik-->Cisco Pix

Wed May 20, 2009 4:46 pm

Hello all:

I'm working on a tunnel between a MT (v2.9.50) and a Cisco Pix. The tunnel is sucessfully established and the Pix side can ping into an internal IP on the MT side. However, there is a necessity for the Pix side to telnet into an IP on the MT side and that is NOT working.

I've checked all my firewall rules and I'm not specifically blocking port 23 nor am I doing any destination nat'ing that would cause the telnet attempts to fail. The dynamically created IPSec policies are correct in the sense that the telnet session is coming from one of the Pix side IP's allowed in the policy.

Any ideas?

Here's the config on the MT side (the only side I have control of):

[admin@router] ip ipsec peer> print
Flags: X - disabled
0 address=123.123.123.123/32:500 secret="ABCDEFGHIJKLMNOP"
generate-policy=yes exchange-mode=main send-initial-contact=no
proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=8h lifebytes=0

[admin@router] ip ipsec policy> print
Flags: X - disabled, D - dynamic, I - invalid
0 D src-address=192.168.1.10/32:any dst-address=192.168.187.20/32:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=321.321.321.321 sa-dst-address=123.123.123.123
proposal=default dont-fragment=clear

1 D src-address=192.168.1.10/32:any dst-address=192.168.187.21/32:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=321.321.321.321 sa-dst-address=123.123.123.123
proposal=default dont-fragment=clear

2 D src-address=192.168.1.10/32:any dst-address=192.168.187.47/32:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=321.321.321.321 sa-dst-address=123.123.123.123
proposal=default dont-fragment=clear

[admin@router] ip ipsec remote-peers> print
0 local-address=321.321.321.321 remote-address=123.123.123.123
state=established side=responder established=may/20/2009 06:25:42
ph2-active=0 ph2-total=3

THANKS AS ALWAYS!!!
 
melwong
newbie
Posts: 36
Joined: Tue Mar 10, 2009 11:43 am

Re: VPN - Mikrotik-->Cisco Pix

Wed May 20, 2009 4:50 pm

Hello all:

I'm working on a tunnel between a MT (v2.9.50) and a Cisco Pix. The tunnel is sucessfully established and the Pix side can ping into an internal IP on the MT side. However, there is a necessity for the Pix side to telnet into an IP on the MT side and that is NOT working.

I've checked all my firewall rules and I'm not specifically blocking port 23 nor am I doing any destination nat'ing that would cause the telnet attempts to fail. The dynamically created IPSec policies are correct in the sense that the telnet session is coming from one of the Pix side IP's allowed in the policy.

Any ideas?

Here's the config on the MT side (the only side I have control of):

[admin@router] ip ipsec peer> print
Flags: X - disabled
0 address=123.123.123.123/32:500 secret="ABCDEFGHIJKLMNOP"
generate-policy=yes exchange-mode=main send-initial-contact=no
proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=8h lifebytes=0

[admin@router] ip ipsec policy> print
Flags: X - disabled, D - dynamic, I - invalid
0 D src-address=192.168.1.10/32:any dst-address=192.168.187.20/32:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=321.321.321.321 sa-dst-address=123.123.123.123
proposal=default dont-fragment=clear

1 D src-address=192.168.1.10/32:any dst-address=192.168.187.21/32:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=321.321.321.321 sa-dst-address=123.123.123.123
proposal=default dont-fragment=clear

2 D src-address=192.168.1.10/32:any dst-address=192.168.187.47/32:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=321.321.321.321 sa-dst-address=123.123.123.123
proposal=default dont-fragment=clear

[admin@router] ip ipsec remote-peers> print
0 local-address=321.321.321.321 remote-address=123.123.123.123
state=established side=responder established=may/20/2009 06:25:42
ph2-active=0 ph2-total=3

THANKS AS ALWAYS!!!
LOL.....Is there an IP 321.321.321.321 ???

Anyway, check your IP->Services if telnet service is running ?
 
jd6strings
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 73
Joined: Tue Dec 20, 2005 8:24 pm

Re: VPN - Mikrotik-->Cisco Pix

Wed May 20, 2009 4:55 pm

Hello all:

I'm working on a tunnel between a MT (v2.9.50) and a Cisco Pix. The tunnel is sucessfully established and the Pix side can ping into an internal IP on the MT side. However, there is a necessity for the Pix side to telnet into an IP on the MT side and that is NOT working.

I've checked all my firewall rules and I'm not specifically blocking port 23 nor am I doing any destination nat'ing that would cause the telnet attempts to fail. The dynamically created IPSec policies are correct in the sense that the telnet session is coming from one of the Pix side IP's allowed in the policy.

Any ideas?

Here's the config on the MT side (the only side I have control of):

[admin@router] ip ipsec peer> print
Flags: X - disabled
0 address=123.123.123.123/32:500 secret="ABCDEFGHIJKLMNOP"
generate-policy=yes exchange-mode=main send-initial-contact=no
proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=8h lifebytes=0

[admin@router] ip ipsec policy> print
Flags: X - disabled, D - dynamic, I - invalid
0 D src-address=192.168.1.10/32:any dst-address=192.168.187.20/32:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=321.321.321.321 sa-dst-address=123.123.123.123
proposal=default dont-fragment=clear

1 D src-address=192.168.1.10/32:any dst-address=192.168.187.21/32:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=321.321.321.321 sa-dst-address=123.123.123.123
proposal=default dont-fragment=clear

2 D src-address=192.168.1.10/32:any dst-address=192.168.187.47/32:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=321.321.321.321 sa-dst-address=123.123.123.123
proposal=default dont-fragment=clear

[admin@router] ip ipsec remote-peers> print
0 local-address=321.321.321.321 remote-address=123.123.123.123
state=established side=responder established=may/20/2009 06:25:42
ph2-active=0 ph2-total=3

THANKS AS ALWAYS!!!
LOL.....Is there an IP 321.321.321.321 ???

Anyway, check your IP->Services if telnet service is running ?
:D If it's that simple, I'm going to be frustrated....

Who is online

Users browsing this forum: Google [Bot] and 78 guests