cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1595
Views
0
Helpful
5
Replies

SSH tcpwrapped on Pix 501

mitchell.smith
Level 1
Level 1

Hi, I am working on a Pix 501 via a remote ssh connection, all was fine until I issued a reload command. Now I cannot get access to the PIX via SSH and a nmap scan shows port 22 is open but the service shows tcpwrapped. I have never seen this before, anyone know how to clear it? Thanks in advance.

1 Accepted Solution

Accepted Solutions

Looks like you have not saved the SSH key and reloaded the PIX. After that you will not be able to login again until you regenerated the keys again.

If you have console access you can see the keys by typing:

show ca mypubkey rsa

If it does not show any key, then you do not have one.

sincerely

Patrick

View solution in original post

5 Replies 5

johnd2310
Level 8
Level 8

hi,

Was the config saved before the reload? If not, then you will have to regenerate the ssh keys.

regards

John

**Please rate posts you find helpful**

John, yes, I did a write memory just before the reload. Can you tell me what tcpwrapped means?

I have never seen this before. Thanks, Mitchell

You have to save the ssh keys with the following command:

ca save all

To regenerate the keys use:

ca gen rsa key 1024

Reference:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/c.html#wp1025120

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sysmgmt.html#wp1034079

The write memory does not save the ssh keys.

To use SSH, your PIX Firewall must have a DES or 3DES activation key and you must generate an RSA key-pair for the PIX Firewall before clients can connect to the PIX Firewall console. Use the ca generate rsa key 512 command to generate a key; change the modulus size from 512, as needed. After generating the RSA key, save the key using the ca save all command.

sincerely

Patrick

Hi Patrick, thanks for your post. My pix does have a 3DES activation key. I have been using SSH on this pix for several days with PuTTY and I did not generate an RSA key-pair, perhaps someone else did before me. It was working fine until I issued the reload command via SSH. When the RSA keys are missing do you get this issue with "tcpwrapped"?

Looks like you have not saved the SSH key and reloaded the PIX. After that you will not be able to login again until you regenerated the keys again.

If you have console access you can see the keys by typing:

show ca mypubkey rsa

If it does not show any key, then you do not have one.

sincerely

Patrick

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: