Pix 506e with ssh

Answered Question
Jan 29th, 2008
User Badges:

How can I configure the ssh access on pix 506e?

Correct Answer by ajagadee about 9 years 3 months ago

You dont have to apply it anywhere. After you configure the commands posted in the above message, you have to configure the pix to allow what IP Addresses can access to which interface using SSH.


Example 1: The below command will allow all IP Addresses on the outside to access the pix via SSH.


ssh 0.0.0.0 0.0.0.0 outside


Example 2: The below command will allow all 10.1.1.0/24 Addresses on the inside to access the pix via SSH.


ssh 10.1.1.0 255.255.255.0 inside


Regards,

Arul


** Please rate all helpful posts **

Correct Answer by Alejandro Corte... about 9 years 3 months ago

in the configure mode:


pix(config)#ssh x.x.x.x x.x.x.x outiside --- specify the interface by what you are access.



ssh ip address --- netmask ---- interface

Correct Answer by Alejandro Corte... about 9 years 3 months ago

Use this configuration:


pix506e(config)# ca zeroize rsa --- erase actual key

pix506e(config)# ca save all -- save changes

pix506e(config)# domain-name ciscopix.com --creates new key

pix506e(config)# ca generate rsa key 1024

For >= 1024, key generation could

take up to several minutes. Please wait.

Keypair generation process begin.

.Success.

pix506e(config)# ca save all -- save new changes

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Alejandro Corte... Tue, 01/29/2008 - 13:26
User Badges:
  • Silver, 250 points or more

Use this configuration:


pix506e(config)# ca zeroize rsa --- erase actual key

pix506e(config)# ca save all -- save changes

pix506e(config)# domain-name ciscopix.com --creates new key

pix506e(config)# ca generate rsa key 1024

For >= 1024, key generation could

take up to several minutes. Please wait.

Keypair generation process begin.

.Success.

pix506e(config)# ca save all -- save new changes

Correct Answer
Alejandro Corte... Tue, 01/29/2008 - 13:38
User Badges:
  • Silver, 250 points or more

in the configure mode:


pix(config)#ssh x.x.x.x x.x.x.x outiside --- specify the interface by what you are access.



ssh ip address --- netmask ---- interface

Correct Answer
ajagadee Tue, 01/29/2008 - 13:38
User Badges:
  • Cisco Employee,

You dont have to apply it anywhere. After you configure the commands posted in the above message, you have to configure the pix to allow what IP Addresses can access to which interface using SSH.


Example 1: The below command will allow all IP Addresses on the outside to access the pix via SSH.


ssh 0.0.0.0 0.0.0.0 outside


Example 2: The below command will allow all 10.1.1.0/24 Addresses on the inside to access the pix via SSH.


ssh 10.1.1.0 255.255.255.0 inside


Regards,

Arul


** Please rate all helpful posts **

noeminieto Sat, 03/08/2008 - 10:21
User Badges:

I was able to connect to my PIX 506e using SSH Secure Shell, but now I cannot. I get an error message saying "Connection closed by remote host? We have made no changes to the pix, all the sudden it quit working.


Do I need to regenerate the the rsa key? Or what should I do?


I am new on managing PIXes.

mkkeyan Mon, 03/10/2008 - 00:06
User Badges:

ssh timeout 10

issue this command in config mode


noeminieto Mon, 03/10/2008 - 11:27
User Badges:

Thanks for the response. I changed from the existing 5 to 10 and then to 30.

Now my PIX 501e is doing the same thing.


It is still not working. What else can I do?


Thanks,

Noemi

mkkeyan Tue, 03/11/2008 - 07:50
User Badges:

!The two commands below are used to define the PIX's host name and domain name.


!This is necessary because the RSA keys used for encryption and decryption are


!named using these parameters and also are bound to the PIX via these parameters.


hostname pix123


domain-name test.com


!The command below is used to generate a 1024-bit RSA public/private key pair to


!be used for encryption and decryption.


ca generate rsa key 1024


!The command below is used to save the keys generated to Flash memory.


ca save all


!The commands below are used to tell the PIX to accept SSH connections on its


!outside interface and to set the idle timeout for SSH sessions to 15 minutes.


ssh 10.1.1.1 255.255.255.255 outside


ssh timeout 7


!Furthermore, the PIX can be set up to do authentication for the SSH users


!connecting to it. The following command defines the AAA server group, ssh123, to


!use for authentication. The AAA server address, 10.1.1.200, and the key to


!authenticate to it, mysecure, are also defined.


aaa-server ssh123 (inside) host 10.1.1.200 mysecure


!The following command binds the AAA server group to the protocol TACACS+.


aaa-server ssh123 protocol tacacs+


!The following command is used to tell the PIX box to do authentication for the


!SSH users using the AAA server group, ssh123, defined above.


aaa authenticate ssh console ssh123





Actions

This Discussion