cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1176
Views
0
Helpful
14
Replies

Can't ssh on pix from outside interface

Farhan Jaffer
Level 1
Level 1

I am using s/w ver 7.0(4).

The config for ssh is:

crypto key generate rsa modulus 1024

wr mem

ssh a.b.c.d 255.255.255.255 outside

but it's not working.

Plz help

1 Accepted Solution

Accepted Solutions

Yes, if your outside interface is mapped to y.y.y.y then you will not be able to ssh to x.x.x.x as it will be forwarding this to y.y.y.y.

You could change from a 1 to 1 static to port address translation for each particular port you need forwarded to y.y.y.y.

Please rate helpful posts.

View solution in original post

14 Replies 14

Jagdeep Gambhir
Level 10
Level 10

Hi ,

Config looks ok to me.

In order to access the Pix from the outside interface you need this: Ssh ?ip address? ?netmask? outside.

As an example I using my ip address:

Ssh 200.9.49.66 255.255.255.255 outside.

If you want to provide access but you do not know the ip then: Ssh 0 0 outside.

Make sure that there no access list blocking ssh.

Finally try reloading the box.

Regards,

~JG

Thanks JG for comments.

I have tried all these options but :(

Is there any alternate way to access PIX from outside interface?

??

Hi,

use this command in addition to your command.

aaa authentication ssh console LOCAL

also create local username & password like

username cisco password cisco privilege 0

download putty & enjoy ssh to your pix

use the username & password u created to login through your ssh client

if still not work ,let me know

if work,pl rate this

Regards

I would like to see the running config from the box.

Regards,

Eric Boadu
Level 1
Level 1

ca generate rsa key 1024

show ca mypubkey rsa

ca save all

ssh 10.x.x.1 255.255.255.255 outside

ssh timeout 60

wr mem

or

ssh a.b.c.d 255.255.255.255 outside.dcp. Depend on your model and config. Hope this help.

Eric

tried all but nops.

Not successful. I have done the same several times & it works, but ...

Any other idea?? OR any other alternative?

Can it be the issue of IOS?

version 7.x should be fine.

Try ACL allowing outside ssh host access.

access-list OUTSIDE extended permit ip 192.168.1.x 255.255.255.0 any eq ssh, etc etc.

or

management-access outside or inside >> I think.

E

Can you post the sh run

access-list outside extended permit ip any any

is allowed already on outside interface.

Do you by chance have a 1 to 1 static using the outside interface?

Also, you do not need to allow this traffic in an acl.

yup exactly.

static map is there.

static (inside, outside) x.x.x.x y.y.y.y netmask 255.255.255.255

Will it interrupt anything?

Yes, if your outside interface is mapped to y.y.y.y then you will not be able to ssh to x.x.x.x as it will be forwarding this to y.y.y.y.

You could change from a 1 to 1 static to port address translation for each particular port you need forwarded to y.y.y.y.

Please rate helpful posts.

That works.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: