1. Home
  2. Cisco Systems
  3. Open up ssh for remote access on PIX 501

Open up ssh for remote access on PIX 501

Hi guys, Can you please tell me why I can't connect via ssh on this config since I've already opened it?

PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password Y7EKFZ/WwxR3Oz37 encrypted passwd Y7EKFZ/WwxR3Oz37 encrypted hostname pix-sf domain-name secret.local clock timezone PST -8 clock summer-time PDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 no names name 192.168.3.0 NYOffice name 192.168.1.0 SFOffice name 192.168.1.1 server1 object-group service SBS2003 tcp port-object eq 4125 port-object eq www port-object eq 3389 port-object eq 444 port-object eq https port-object eq smtp access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0

192.168 .3.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list outside_access_in permit tcp interface outside object-group SBS2003 host xxx.xxx.xxx.xxx object-group SBS2003 access-list outside_in permit tcp any host xxx.xxx.xxx.xxx eq smtp pager lines 200 mtu outside 1500 mtu inside 1500 ip address outside xxx.xxx.xxx.xxx 255.255.255.248 ip address inside 192.168.1.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.3.0 255.255.255.0 outside pdm location 192.168.1.1 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface smtp 192.168.1.1 smtp netmask 255.255.255. 255 0 0 access-group outside_in in interface outside route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx (ISP gateway) 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local ntp server 192.168.1.254 source inside prefer http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps tftp-server inside 192.168.1.1 /pix floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 67.102.218.146 crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address zzz.zzz.zzz.zzz netmask 255.255.255.255 no-xauth no-c onfig-mode isakmp nat-traversal 20 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet 0.0.0.0 0.0.0.0 inside telnet timeout 60 ssh 0.0.0.0 0.0.0.0 outside ssh xxx.xxx.xxx.xxx 255.255.255.255 outside ssh 192.168.1.0 255.255.255.0 inside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 30 management-access inside console timeout 0 dhcpd address 192.168.1.2-192.168.1.129 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside terminal width 80 Cryptochecksum:1f3cfd9bf54c9d4d3afaeb11fbf3aef6 : end

NOTE: xxx.xxx.xxx.xxx - outside IP address

Reply to
Ian McKellan
Loading thread data ...

did you generate and save RSA key ?

see

formatting link

Reply to
Merv

did you generate a key?

ca generate rsa key 1024 ca save all

Reply to
Brian V

I don't need an rsa key for ssh. The problem lies in the fact that I can't make a connection period. The network connection is refused whenever I try to connect.

Can you see if there's any problems with my access-lists?

Please help.

Reply to
Ian McKellan

You DO need an RSA key to SSH, why the frig do you think I told you to do it, just for the hell of it? You obviously have no clue how SSH works and it's reliability on an SSH key to make that function happen. If you are not going to listen to the help in the group why bother asking?

Reply to
Brian V

OH MY GOD!!! Thank you so much for the chastising me ...I seriously did not know that you need a key, i thought out of the box the key is generated for you. Thanks again Brian.

One more question if you don't mind Brian. You can see that I have a few access-lists and one access-group command. There's a mail server with private ip 192.168.1.1. There's on object-group SBS2003.

The access-list command for SBS2003 is there and I need to associate that with a access-group command to open up those ports. Whenever I put in this command, no ports are open?

access-group outside_access_in in interface outside

(That's why I have the access-list speficically opening port 25, and that access-group command works, port 25 opens)

Is that too confusing? Please help.

Reply to
Ian McKellan

Hi Ian,

No problem on the chastising, it was my pleasure, anytime you feel you need to be just ask!

No Cisco box that I know of comes with a pre-installed key. A RSA key is generated using the hostname and domain name as part of it's key, since those are device specific a "pre-installed" key would never work.

As far as your object group. I believe Walter addressed that in another post, as usual he's right on the money.

-Brian

Reply to
Brian V

Your access-list statment with the object-group doesnt look right in "logical syntax" My guess is this ACL is not in use. You write about this ACL in your aceess-group command, but my guess is, since the acl is faulty, that you really mean the other ACL with the port 25 part in.

anyway this is in your posted config:

ip address outside xxx.xxx.xxx.xxx 255.255.255.248 access-list outside_in permit tcp any host xxx.xxx.xxx.xxx eq smtp access-group outside_in in interface outside static (inside,outside) tcp interface smtp 192.168.1.1 smtp netmask

255.255.255.255

For this to work, the xxx.xxx.xxx.xxx must represent the same host IP. If this is allready your case, then the problem is elsewhere.

you can test by using telnet from outside to the IP xxx.xxx.xxx.xxx on port

25, and get a conenction.

Also note that you have turned off the eSMTP protection, via "no fixup protocol smtp 25" Are you sure you need this turned off ?

Also note that your NTP server is the same IP as your inside interface ?

If you what to use the ACL with the object-group, I would use this syntax:

access-list outside_access_in permit tcp any host xxx.xxx.xxx.xxx object-group SBS2003 no access-list outside_access_in permit tcp interface outside object-group SBS2003 host xxx.xxx.xxx.xxx object-group SBS2003 access-group outside_access_in in interface outside

then observer via "show access-list" the hitcounts, and also observe the log for any entries. Do a Term mon, while observing.

HTH Martin Bilgrav

Reply to
Martin Bilgrav

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.