Pix 506e with ssh

Answered Question
Jan 29th, 2008

How can I configure the ssh access on pix 506e?

I have this problem too.
0 votes
Correct Answer by ajagadee about 8 years 11 months ago

You dont have to apply it anywhere. After you configure the commands posted in the above message, you have to configure the pix to allow what IP Addresses can access to which interface using SSH.

Example 1: The below command will allow all IP Addresses on the outside to access the pix via SSH.

ssh 0.0.0.0 0.0.0.0 outside

Example 2: The below command will allow all 10.1.1.0/24 Addresses on the inside to access the pix via SSH.

ssh 10.1.1.0 255.255.255.0 inside

Regards,

Arul

** Please rate all helpful posts **

Correct Answer by Alejandro Corte... about 8 years 11 months ago

in the configure mode:

pix(config)#ssh x.x.x.x x.x.x.x outiside --- specify the interface by what you are access.

ssh ip address --- netmask ---- interface

Correct Answer by Alejandro Corte... about 8 years 11 months ago

Use this configuration:

pix506e(config)# ca zeroize rsa --- erase actual key

pix506e(config)# ca save all -- save changes

pix506e(config)# domain-name ciscopix.com --creates new key

pix506e(config)# ca generate rsa key 1024

For >= 1024, key generation could

take up to several minutes. Please wait.

Keypair generation process begin.

.Success.

pix506e(config)# ca save all -- save new changes

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Alejandro Corte... Tue, 01/29/2008 - 13:26

Use this configuration:

pix506e(config)# ca zeroize rsa --- erase actual key

pix506e(config)# ca save all -- save changes

pix506e(config)# domain-name ciscopix.com --creates new key

pix506e(config)# ca generate rsa key 1024

For >= 1024, key generation could

take up to several minutes. Please wait.

Keypair generation process begin.

.Success.

pix506e(config)# ca save all -- save new changes

Correct Answer
Alejandro Corte... Tue, 01/29/2008 - 13:38

in the configure mode:

pix(config)#ssh x.x.x.x x.x.x.x outiside --- specify the interface by what you are access.

ssh ip address --- netmask ---- interface

Correct Answer
ajagadee Tue, 01/29/2008 - 13:38

You dont have to apply it anywhere. After you configure the commands posted in the above message, you have to configure the pix to allow what IP Addresses can access to which interface using SSH.

Example 1: The below command will allow all IP Addresses on the outside to access the pix via SSH.

ssh 0.0.0.0 0.0.0.0 outside

Example 2: The below command will allow all 10.1.1.0/24 Addresses on the inside to access the pix via SSH.

ssh 10.1.1.0 255.255.255.0 inside

Regards,

Arul

** Please rate all helpful posts **

noeminieto Sat, 03/08/2008 - 10:21

I was able to connect to my PIX 506e using SSH Secure Shell, but now I cannot. I get an error message saying "Connection closed by remote host? We have made no changes to the pix, all the sudden it quit working.

Do I need to regenerate the the rsa key? Or what should I do?

I am new on managing PIXes.

noeminieto Mon, 03/10/2008 - 11:27

Thanks for the response. I changed from the existing 5 to 10 and then to 30.

Now my PIX 501e is doing the same thing.

It is still not working. What else can I do?

Thanks,

Noemi

mkkeyan Tue, 03/11/2008 - 07:50

!The two commands below are used to define the PIX's host name and domain name.

!This is necessary because the RSA keys used for encryption and decryption are

!named using these parameters and also are bound to the PIX via these parameters.

hostname pix123

domain-name test.com

!The command below is used to generate a 1024-bit RSA public/private key pair to

!be used for encryption and decryption.

ca generate rsa key 1024

!The command below is used to save the keys generated to Flash memory.

ca save all

!The commands below are used to tell the PIX to accept SSH connections on its

!outside interface and to set the idle timeout for SSH sessions to 15 minutes.

ssh 10.1.1.1 255.255.255.255 outside

ssh timeout 7

!Furthermore, the PIX can be set up to do authentication for the SSH users

!connecting to it. The following command defines the AAA server group, ssh123, to

!use for authentication. The AAA server address, 10.1.1.200, and the key to

!authenticate to it, mysecure, are also defined.

aaa-server ssh123 (inside) host 10.1.1.200 mysecure

!The following command binds the AAA server group to the protocol TACACS+.

aaa-server ssh123 protocol tacacs+

!The following command is used to tell the PIX box to do authentication for the

!SSH users using the AAA server group, ssh123, defined above.

aaa authenticate ssh console ssh123

Actions

This Discussion