RE: Lock out by PIX [7:56342]
... to keep from being locked out, you should remove the crypto map from the interface, i.e., "no crypto map interface outside". This will kill any new crypto sessions from being initiated, and I am not sure if it also kills the current crypto sessions, but it will keep you from being locked out. If you don't do this, you will experience the problem you are having. The PIX is still functioning, and doing its job, its just doing its job extra well now because it has no crypto definitions to run against in its process of analyzing packets coming in from the outside. Bounce the PIX (by calling someone to do it for you), and you should have your access restored. -Mark -Original Message- From: Leo Song [mailto:lsong@;dataphile.ca] Sent: Friday, October 25, 2002 11:02 PM To: [EMAIL PROTECTED] Subject: Lock out by PIX [7:56342] Hi, there. I connected to a PIX through Outside interface by using SSH, and to do some changes on the VPN tunnel, first of all I remove the "crypto map xxx match address xxx" in order to change that ACL, but just after that I was locked out and lost the connection to that PIX, and now I can't even ping that PIX while I can do so before, and my concern and questions is: 1. is that PIX still working "properly", say the users could get access Outside from Inside, and it just lock SSH out or any access from Outside. 2. what's the general suggested methods or steps when dealing with ACL or Tunnel changes on a PIX, in order to avoid being locked out. 3. is there any remedy sloution at present, (and I don't have physical access to that PIX right now? Appreciate all of your help. Leo Best Regards. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56343&t=56342 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Lock out by PIX [7:56342]
Hi Leo, What ever you are writing here is simply bad period!! No the pix is useless! meaning no access for nobody from outside. why? I ll explain in a sec. The only way u can connect to this pix is to use console or any other interface other than outside. I believe u first removed ur acl corresponding to match address right? if yes than u r locked out becasue there is no acl correspondign to match address and the default behaviour is to encrypt everyhting and i repeat everyhting.so ur pix is simply dropping anything which is not encrypted plus it is so busy in enc/decryption process that it has no time to allocate resources for your ssh sessions. if no then u should remove the entire crypto map and should not start with match address. This is a HAT wearing offence!! ;) Yeah plz login via console and go from there. Shahid Leo Song wrote:Hi, there. I connected to a PIX through Outside interface by using SSH, and to do some changes on the VPN tunnel, first of all I remove the "crypto map xxx match address xxx" in order to change that ACL, but just after that I was locked out and lost the connection to that PIX, and now I can't even ping that PIX while I can do so before, and my concern and questions is: 1. is that PIX still working "properly", say the users could get access Outside from Inside, and it just lock SSH out or any access from Outside. 2. what's the general suggested methods or steps when dealing with ACL or Tunnel changes on a PIX, in order to avoid being locked out. 3. is there any remedy sloution at present, (and I don't have physical access to that PIX right now? Appreciate all of your help. Leo Best Regards. Shahid Muhammad Shafi "Every man dies; not every man really lives" remember, if God bringz u 2 it, He WILL bring u thru it!!!- Please help feed hungry people worldwide http://www.hungersite.com/ A small thing each of us can do to help others less fortunate than ourselves - Do you Yahoo!? Y! Web Hosting - Let the expert host your web site Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56348&t=56342 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Lock out by PIX [7:56342]
Just reboot the pix...SSH has nothing to do with crypto maps or VPN's It's just allows secure remote access through the outide interface via secure shell :) No vpn connection involved ..as previous response stated earlier, you should have first remove the crypto map binding to the outside interface first to avoid the issue... -Original Message- From: [EMAIL PROTECTED] [mailto:nobody@;groupstudy.com]On Behalf Of Shahid Muhammad Shafi Sent: Saturday, October 26, 2002 6:52 AM To: [EMAIL PROTECTED] Subject: Re: Lock out by PIX [7:56342] Hi Leo, What ever you are writing here is simply bad period!! No the pix is useless! meaning no access for nobody from outside. why? I ll explain in a sec. The only way u can connect to this pix is to use console or any other interface other than outside. I believe u first removed ur acl corresponding to match address right? if yes than u r locked out becasue there is no acl correspondign to match address and the default behaviour is to encrypt everyhting and i repeat everyhting.so ur pix is simply dropping anything which is not encrypted plus it is so busy in enc/decryption process that it has no time to allocate resources for your ssh sessions. if no then u should remove the entire crypto map and should not start with match address. This is a HAT wearing offence!! ;) Yeah plz login via console and go from there. Shahid Leo Song wrote:Hi, there. I connected to a PIX through Outside interface by using SSH, and to do some changes on the VPN tunnel, first of all I remove the "crypto map xxx match address xxx" in order to change that ACL, but just after that I was locked out and lost the connection to that PIX, and now I can't even ping that PIX while I can do so before, and my concern and questions is: 1. is that PIX still working "properly", say the users could get access Outside from Inside, and it just lock SSH out or any access from Outside. 2. what's the general suggested methods or steps when dealing with ACL or Tunnel changes on a PIX, in order to avoid being locked out. 3. is there any remedy sloution at present, (and I don't have physical access to that PIX right now? Appreciate all of your help. Leo Best Regards. Shahid Muhammad Shafi "Every man dies; not every man really lives" remember, if God bringz u 2 it, He WILL bring u thru it!!!- Please help feed hungry people worldwide http://www.hungersite.com/ A small thing each of us can do to help others less fortunate than ourselves - Do you Yahoo!? Y! Web Hosting - Let the expert host your web site Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56355&t=56342 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
