SSH and Port Forwarding on a PIX501

Discussion in 'Cisco' started by Gordon Montgomery, Apr 11, 2006.

  1. I have been trying to enable SSH to an offsite PIX with no
    luck. I get the prompt for user and password, but it does
    not accept the valid user and pass that is programmed
    on the PIX.

    I have also tried to enable some port forwarding so
    that I can use PCAnywhere from anywhere. I can see
    the pca access list count increment each time I try to
    connect, but no connection ever happens. I have only
    been able to test this from within my main site address
    space, and I think that may be confusing things. If someone
    could just tell me if the config should work, I would
    appreciate it.

    Please, someone, whack me up the side of the head
    and tell me what I'm missing.

    *********Config***********
    Building configuration...
    : Saved
    :
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password xxxxx encrypted
    passwd xxxxx encrypted
    hostname Nauvoo-Pix
    domain-name domain.com
    clock timezone cst -6
    clock summer-time cdt recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list nonat permit ip 10.0.1.0 255.255.255.0 MainIP.0 255.255.255.0
    access-list 101 permit ip 10.0.1.0 255.255.255.0 MainIP.0 255.255.255.0
    access-list pca permit tcp any interface outside eq pcanywhere-data
    access-list pca permit udp any interface outside eq pcanywhere-status
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 10.0.1.10 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location MainIP.0 255.255.255.0 outside
    pdm location MainIP.0 255.255.255.0 inside
    pdm location 10.0.1.1 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface pcanywhere-data 10.0.1.1 pcanywhere-data
    netmask 255.255.255.255 0 0
    static (inside,outside) udp interface pcanywhere-status 10.0.1.1
    pcanywhere-status netmask 255.255.255.255 0 0
    access-group pca in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authorization command LOCAL
    ntp server MainIP.1 source outside
    http server enable
    http MainIP.0 255.255.255.0 outside
    http 10.0.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set lsi esp-3des esp-sha-hmac
    crypto map lsimap 1 ipsec-isakmp
    crypto map lsimap 1 match address 101
    crypto map lsimap 1 set peer 65.90.50.46
    crypto map lsimap 1 set transform-set lsi
    crypto map lsimap interface outside
    isakmp enable outside
    isakmp key ******** address CorpEndIP netmask 255.255.255.255
    isakmp policy 9 authentication pre-share
    isakmp policy 9 encryption 3des
    isakmp policy 9 hash sha
    isakmp policy 9 group 2
    isakmp policy 9 lifetime 86400
    telnet MainIP.0 255.255.255.0 outside
    telnet 10.0.1.0 255.255.255.0 inside
    telnet MainIP.0 255.255.255.0 inside
    telnet timeout 5
    ssh MainIP.0 255.255.255.0 outside
    ssh timeout 5
    console timeout 0
    dhcpd address 10.0.1.100-10.0.1.131 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    username user password xxxxxx encrypted privilege 15
    terminal width 80
    : end
    ********End Config*********

    Thanks,


    Gordon Montgomery
    Living Scriptures, Inc
    (anti spam - replace lsi with livingscriptures)
    (801) 627-2000
    Gordon Montgomery, Apr 11, 2006
    #1
    1. Advertising

  2. In article <>, (Gordon Montgomery) wrote:
    >I have been trying to enable SSH to an offsite PIX with no
    >luck. I get the prompt for user and password, but it does
    >not accept the valid user and pass that is programmed
    >on the PIX.


    As is always the case, 15 minutes after I post, I find an
    answer. If I do not have AAA authentication set up specifically
    for SSH, I need to use PIX as the user name with my telnet
    password. I thought SSH would use the user programmed
    near the end of the config.

    I still would like a response on the port forwarding though.

    Thanks,


    Gordon Montgomery
    Living Scriptures, Inc
    (anti spam - replace lsi with livingscriptures)
    (801) 627-2000
    Gordon Montgomery, Apr 11, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Balt
    Replies:
    1
    Views:
    3,295
    Martin Bilgrav
    Feb 13, 2004
  2. Anonymous Sender

    ssh forwarding to ssl proxy?

    Anonymous Sender, Dec 11, 2003, in forum: Computer Security
    Replies:
    2
    Views:
    619
  3. FTP SSH port forwarding

    , Dec 27, 2006, in forum: Computer Security
    Replies:
    0
    Views:
    477
  4. ToyalP2
    Replies:
    7
    Views:
    1,514
    ToyalP2
    Jan 7, 2008
  5. Raisen

    SSH Forwarding

    Raisen, Feb 19, 2009, in forum: Computer Support
    Replies:
    8
    Views:
    1,038
    Weydson
    Feb 20, 2009
Loading...

Share This Page