SSH tcpwrapped on Pix 501

Answered Question
Mar 17th, 2008

Hi, I am working on a Pix 501 via a remote ssh connection, all was fine until I issued a reload command. Now I cannot get access to the PIX via SSH and a nmap scan shows port 22 is open but the service shows tcpwrapped. I have never seen this before, anyone know how to clear it? Thanks in advance.

I have this problem too.
0 votes
Correct Answer by Patrick Iseli about 6 years 1 month ago

Looks like you have not saved the SSH key and reloaded the PIX. After that you will not be able to login again until you regenerated the keys again.

If you have console access you can see the keys by typing:

show ca mypubkey rsa

If it does not show any key, then you do not have one.

sincerely

Patrick

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
johnd2310 Mon, 03/17/2008 - 10:50

hi,

Was the config saved before the reload? If not, then you will have to regenerate the ssh keys.

regards

John

mitchell.smith Mon, 03/17/2008 - 10:53

John, yes, I did a write memory just before the reload. Can you tell me what tcpwrapped means?

I have never seen this before. Thanks, Mitchell

Patrick Iseli Mon, 03/17/2008 - 12:28

You have to save the ssh keys with the following command:

ca save all

To regenerate the keys use:

ca gen rsa key 1024

Reference:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/c.html#wp1025120

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sysmgmt.html#wp1034079

The write memory does not save the ssh keys.

To use SSH, your PIX Firewall must have a DES or 3DES activation key and you must generate an RSA key-pair for the PIX Firewall before clients can connect to the PIX Firewall console. Use the ca generate rsa key 512 command to generate a key; change the modulus size from 512, as needed. After generating the RSA key, save the key using the ca save all command.

sincerely

Patrick

mitchell.smith Mon, 03/17/2008 - 13:05

Hi Patrick, thanks for your post. My pix does have a 3DES activation key. I have been using SSH on this pix for several days with PuTTY and I did not generate an RSA key-pair, perhaps someone else did before me. It was working fine until I issued the reload command via SSH. When the RSA keys are missing do you get this issue with "tcpwrapped"?

Correct Answer
Patrick Iseli Mon, 03/17/2008 - 18:11

Looks like you have not saved the SSH key and reloaded the PIX. After that you will not be able to login again until you regenerated the keys again.

If you have console access you can see the keys by typing:

show ca mypubkey rsa

If it does not show any key, then you do not have one.

sincerely

Patrick

Actions

Login or Register to take actions

This Discussion

Posted March 17, 2008 at 9:53 AM
Stats:
Replies:5 Avg. Rating:5
Views:459 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446