Can't ssh on pix from outside interface

Answered Question
Jul 10th, 2007
User Badges:

I am using s/w ver 7.0(4).


The config for ssh is:

crypto key generate rsa modulus 1024

wr mem

ssh a.b.c.d 255.255.255.255 outside


but it's not working.


Plz help

Correct Answer by acomiskey about 9 years 9 months ago

Yes, if your outside interface is mapped to y.y.y.y then you will not be able to ssh to x.x.x.x as it will be forwarding this to y.y.y.y.


You could change from a 1 to 1 static to port address translation for each particular port you need forwarded to y.y.y.y.


Please rate helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jagdeep Gambhir Tue, 07/10/2007 - 07:03
User Badges:
  • Red, 2250 points or more

Hi ,

Config looks ok to me.


In order to access the Pix from the outside interface you need this: Ssh ?ip address? ?netmask? outside.


As an example I using my ip address:

Ssh 200.9.49.66 255.255.255.255 outside.


If you want to provide access but you do not know the ip then: Ssh 0 0 outside.


Make sure that there no access list blocking ssh.


Finally try reloading the box.


Regards,

~JG

Farhan Jaffer Tue, 07/10/2007 - 07:28
User Badges:

Thanks JG for comments.

I have tried all these options but :(


Is there any alternate way to access PIX from outside interface?


??


schakra Tue, 07/10/2007 - 09:07
User Badges:

Hi,


use this command in addition to your command.


aaa authentication ssh console LOCAL


also create local username & password like


username cisco password cisco privilege 0


download putty & enjoy ssh to your pix


use the username & password u created to login through your ssh client


if still not work ,let me know


if work,pl rate this


Regards




Jagdeep Gambhir Tue, 07/10/2007 - 10:44
User Badges:
  • Red, 2250 points or more

I would like to see the running config from the box.


Regards,

Eric Boadu Tue, 07/10/2007 - 11:30
User Badges:

ca generate rsa key 1024

show ca mypubkey rsa

ca save all


ssh 10.x.x.1 255.255.255.255 outside

ssh timeout 60


wr mem

or

ssh a.b.c.d 255.255.255.255 outside.dcp. Depend on your model and config. Hope this help.


Eric

Farhan Jaffer Wed, 07/11/2007 - 03:14
User Badges:

tried all but nops.

Not successful. I have done the same several times & it works, but ...


Any other idea?? OR any other alternative?

Eric Boadu Wed, 07/11/2007 - 04:38
User Badges:

version 7.x should be fine.

Try ACL allowing outside ssh host access.


access-list OUTSIDE extended permit ip 192.168.1.x 255.255.255.0 any eq ssh, etc etc.

or

management-access outside or inside >> I think.


E

Farhan Jaffer Wed, 07/11/2007 - 04:49
User Badges:

access-list outside extended permit ip any any


is allowed already on outside interface.


acomiskey Wed, 07/11/2007 - 04:52
User Badges:
  • Green, 3000 points or more

Do you by chance have a 1 to 1 static using the outside interface?


Also, you do not need to allow this traffic in an acl.

Farhan Jaffer Wed, 07/11/2007 - 05:08
User Badges:

yup exactly.

static map is there.


static (inside, outside) x.x.x.x y.y.y.y netmask 255.255.255.255


Will it interrupt anything?

Correct Answer
acomiskey Wed, 07/11/2007 - 05:12
User Badges:
  • Green, 3000 points or more

Yes, if your outside interface is mapped to y.y.y.y then you will not be able to ssh to x.x.x.x as it will be forwarding this to y.y.y.y.


You could change from a 1 to 1 static to port address translation for each particular port you need forwarded to y.y.y.y.


Please rate helpful posts.

Actions

This Discussion