ssh access to pix

Discussion in 'Cisco' started by timxcd, Jan 20, 2005.

  1. timxcd

    timxcd Guest

    I am having a problem where I add the ssh ip address that I want to
    connect from to the pix config, I set the correct passwords, pix,
    cisco, then I do the ca save all, but I still cannot connect. I looked
    and documentation I think I have everything covered, any suggestions on
    why it wouldn't connect?

    Thanks in advance.
     
    timxcd, Jan 20, 2005
    #1
    1. Advertising

  2. On 20.01.2005 20:39 timxcd wrote

    > I am having a problem where I add the ssh ip address that I want to
    > connect from to the pix config, I set the correct passwords, pix,
    > cisco, then I do the ca save all, but I still cannot connect. I looked
    > and documentation I think I have everything covered, any suggestions on
    > why it wouldn't connect?
    >


    Given your internal network is 192.168.1.0/24

    ssh 192.168.1.0 255.255.255.0 inside

    should do.

    How does your config look like?




    Arnold
    --
    Arnold Nipper, AN45
     
    Arnold Nipper, Jan 20, 2005
    #2
    1. Advertising

  3. timxcd

    Mike W. Guest

    "timxcd" <> wrote in message
    news:...
    > I am having a problem where I add the ssh ip address that I want to
    > connect from to the pix config, I set the correct passwords, pix,
    > cisco, then I do the ca save all, but I still cannot connect. I looked
    > and documentation I think I have everything covered, any suggestions on
    > why it wouldn't connect?
    >
    > Thanks in advance.
    >



    Are you talking about SSH'ing in from say your home IP to your PIX public ip
    address, or internal SSH? I set up SSH for myself at home to get to my PIX
    515. Here is the line I added to get it working:

    ssh 69.X.X.X 255.255.255.255 outside
    ssh timeout 60 (or however long you want)

    Besides that, it sounds like you've done everything right. Is it an issue
    with the client you're using to connect? I like TeraTerm Pro with SSH.
    Here's a good write-up on SSH to the PIX:

    http://www.ciscopress.com/articles/article.asp?p=25342&seqNum=3

    And don't forget: conf t
    debug ssh
     
    Mike W., Jan 20, 2005
    #3
  4. timxcd

    Brian V Guest

    "timxcd" <> wrote in message
    news:...
    >I am having a problem where I add the ssh ip address that I want to
    > connect from to the pix config, I set the correct passwords, pix,
    > cisco, then I do the ca save all, but I still cannot connect. I looked
    > and documentation I think I have everything covered, any suggestions on
    > why it wouldn't connect?
    >
    > Thanks in advance.
    >


    Tim,
    You say you are doing a ca save all, but do not mention generating a key,
    did you generate the key?

    All you should need is:

    ca generate rsa key 1024
    ca save all
    ssh x.x.x.x y.y.y.y outside (or inside depending on the direction)
    wr mem

    -Brian
     
    Brian V, Jan 20, 2005
    #4
  5. timxcd

    timxcd Guest

    Brian,

    you are right, I did

    ca gen rsa k 768

    then the

    ca save all

    added the ssh address and it worked.

    Mike W, thanks for the debugging tip on the ssh, that is how I figured
    I needed to create a public key.

    the ca gen rsa k 768

    is in the documentation on pix firewall command reference, it says to
    use

    The larger the key modulus size you specify, the longer it takes to
    generate an RSA. We recommend a
    default value of 768.

    so, that is what I used, does anyone know the difference between 768
    and 1024?

    -timxcd
     
    timxcd, Jan 20, 2005
    #5
  6. On 20.01.2005 22:26 timxcd wrote


    > so, that is what I used, does anyone know the difference between 768
    > and 1024?
    >


    of course: 256 ;-) ... Actually a 1024 key is harder to crack than a 768
    key.





    Arnold
     
    Arnold Nipper, Jan 20, 2005
    #6
  7. Hi timzcd,

    If you had generate and save the key, enable the ssh access command for
    your ssh client on the pix.

    I guess you are trying to ssh to the outside interface of the pix or
    trying to ssh to the inside interface via the outside interface. PIX
    would not allow that as it does not allow ssh or telnet to the lowerest
    security level interface of the FW which for your case should be the
    outside normally.

    You may want to try other interface (inside), hope that solve your
    issue.

    <yongaik@singapore>
     
    yongaik@singapore, Jan 21, 2005
    #7
  8. timxcd

    BadCzech Guest

    Another command to remember if you are unable to connect through TTERM PRO
    is:

    ca zeroize rsa key

    Sometimes my keys get mismatched and TTERM won't connect. I am forced to
    https://<IP of outside int> and zeroize the key and generate a new key.
    TTERM will then see recognize the new key and add it to the list...glad its
    working for you though.

    Cz
     
    BadCzech, Jan 21, 2005
    #8
  9. timxcd

    zillah

    Joined:
    Mar 23, 2006
    Messages:
    39
    I had same problem before
     
    zillah, Nov 5, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Schleigh

    lost ssh access to pix 506e

    John Schleigh, Jun 23, 2005, in forum: Cisco
    Replies:
    8
    Views:
    11,710
    sp3gcf
    Apr 23, 2008
  2. Ian McKellan

    Open up ssh for remote access on PIX 501

    Ian McKellan, Jan 8, 2006, in forum: Cisco
    Replies:
    7
    Views:
    882
    Martin Bilgrav
    Jan 9, 2006
  3. Nate

    PIX SSH access

    Nate, Oct 6, 2006, in forum: Cisco
    Replies:
    5
    Views:
    519
  4. ppurcell
    Replies:
    0
    Views:
    530
    ppurcell
    Jun 17, 2008
  5. BJN
    Replies:
    0
    Views:
    646
Loading...

Share This Page