Open up ssh for remote access on PIX 501

Discussion in 'Cisco' started by Ian McKellan, Jan 8, 2006.

  1. Ian McKellan

    Ian McKellan Guest

    Hi guys,
    Can you please tell me why I can't connect via ssh on this config since I've
    already opened it?

    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password Y7EKFZ/WwxR3Oz37 encrypted
    passwd Y7EKFZ/WwxR3Oz37 encrypted
    hostname pix-sf
    domain-name secret.local
    clock timezone PST -8
    clock summer-time PDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    no names
    name NYOffice
    name SFOffice
    name server1
    object-group service SBS2003 tcp
    port-object eq 4125
    port-object eq www
    port-object eq 3389
    port-object eq 444
    port-object eq https
    port-object eq smtp
    access-list inside_outbound_nat0_acl permit ip
    access-list outside_cryptomap_20 permit ip
    access-list outside_access_in permit tcp interface outside object-group
    host object-group SBS2003
    access-list outside_in permit tcp any host eq smtp
    pager lines 200
    mtu outside 1500
    mtu inside 1500
    ip address outside
    ip address inside
    ip audit info action alarm
    ip audit attack action alarm
    pdm location outside
    pdm location inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0 0
    static (inside,outside) tcp interface smtp smtp netmask
    255 0 0
    access-group outside_in in interface outside
    route outside (ISP gateway) 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    ntp server source inside prefer
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside /pix
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address zzz.zzz.zzz.zzz netmask no-xauth
    isakmp nat-traversal 20
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet inside
    telnet timeout 60
    ssh outside
    ssh outside
    ssh inside
    ssh inside
    ssh timeout 30
    management-access inside
    console timeout 0
    dhcpd address inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    : end

    NOTE: - outside IP address
    Ian McKellan, Jan 8, 2006
    1. Advertisements

  2. Ian McKellan

    Merv Guest

    Merv, Jan 9, 2006
    1. Advertisements

  3. Ian McKellan

    Brian V Guest

    did you generate a key?

    ca generate rsa key 1024
    ca save all
    Brian V, Jan 9, 2006
  4. Ian McKellan

    Ian McKellan Guest

    I don't need an rsa key for ssh. The problem lies in the fact that I can't
    make a connection period. The network connection is refused whenever I try
    to connect.

    Can you see if there's any problems with my access-lists?

    Please help.
    Ian McKellan, Jan 9, 2006
  5. Ian McKellan

    Brian V Guest

    You DO need an RSA key to SSH, why the frig do you think I told you to do
    it, just for the hell of it? You obviously have no clue how SSH works and
    it's reliability on an SSH key to make that function happen. If you are not
    going to listen to the help in the group why bother asking?
    Brian V, Jan 9, 2006
  6. Ian McKellan

    Ian McKellan Guest

    OH MY GOD!!!
    Thank you so much for the chastising me ...I seriously did not know that you
    need a key, i thought out of the box the key is generated for you. Thanks
    again Brian.

    One more question if you don't mind Brian.
    You can see that I have a few access-lists and one access-group command.
    There's a mail server with private ip
    There's on object-group SBS2003.

    The access-list command for SBS2003 is there and I need to associate that
    with a access-group command to open up those ports. Whenever I put in this
    command, no ports are open?

    access-group outside_access_in in interface outside

    (That's why I have the access-list speficically opening port 25, and that
    access-group command works, port 25 opens)

    Is that too confusing? Please help.
    Ian McKellan, Jan 9, 2006
  7. Ian McKellan

    Brian V Guest

    Hi Ian,

    No problem on the chastising, it was my pleasure, anytime you feel you
    need to be just ask! <G>

    No Cisco box that I know of comes with a pre-installed key. A RSA key is
    generated using the hostname and domain name as part of it's key, since
    those are device specific a "pre-installed" key would never work.

    As far as your object group. I believe Walter addressed that in another
    post, as usual he's right on the money.

    Brian V, Jan 9, 2006

  8. Your access-list statment with the object-group doesnt look right in
    "logical syntax"
    My guess is this ACL is not in use.
    You write about this ACL in your aceess-group command, but my guess is,
    since the acl is faulty, that you really mean the other ACL with the port 25
    part in.

    anyway this is in your posted config:

    ip address outside
    access-list outside_in permit tcp any host eq smtp
    access-group outside_in in interface outside
    static (inside,outside) tcp interface smtp smtp netmask

    For this to work, the must represent the same host IP.
    If this is allready your case, then the problem is elsewhere.

    you can test by using telnet from outside to the IP on port
    25, and get a conenction.

    Also note that you have turned off the eSMTP protection, via "no fixup
    protocol smtp 25"
    Are you sure you need this turned off ?

    Also note that your NTP server is the same IP as your inside interface ?

    If you what to use the ACL with the object-group, I would use this syntax:

    access-list outside_access_in permit tcp any host
    object-group SBS2003
    no access-list outside_access_in permit tcp interface outside object-group
    SBS2003 host object-group SBS2003
    access-group outside_access_in in interface outside

    then observer via "show access-list" the hitcounts, and also observe the log
    for any entries.
    Do a Term mon, while observing.

    Martin Bilgrav
    Martin Bilgrav, Jan 9, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.