Can't telnet or SSH to my Cisco PIX 506E

Answered Question
May 28th, 2010
User Badges:

                     Any connection over the internet or trying to cnnect fails using Putty or Teraterm.





interface ethernet0 auto
interface ethernet1 100full


nameif ethernet0 outside security0
nameif ethernet1 inside security100


enable password $$$$$$$$$$
passwd $$$$$$$$
hostname $$$$$$
domain-name $$$$.local




fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69


names
name 10.255.255.0 mike
name 10.1.170.0 harry
name 10.10.0.0 tom



access-list cryptomap_$$$$_10 permit ip 10.1.17.0 255.255.255.0 $$$l 255.255.255.0
access-list inside_no_nat permit ip 10.1.17.0 255.255.255.0 $$$ 255.255.255.0


access-list cryptomap_arc_20 permit ip 10.1.17.0 255.255.255.0 $$$ 255.255.255.0


access-list cryptomap_$$_30 permit ip 10.1.17.0 255.255.255.0 $$$$ 255.255.255.0
access-list cryptomap_$$_30 permit ip 10.1.17.0 255.255.255.0 $$$ 255.255.255.0


access-list inside_no_nat permit ip 10.1.17.0 255.255.255.0 $$$ 255.255.255.0
access-list inside_no_nat permit ip 10.1.17.0 255.255.255.0 $$$ 255.255.255.0



icmp deny any outside


pager lines 24


mtu outside 1500
mtu inside 1500


ip address outside 22.221.38.234 255.255.255.248
ip address inside 10.1.173.1 255.255.255.0


ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400


global (outside) 1 interface
nat (inside) 0 access-list inside_no_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0


route outside 0.0.0.0 0.0.0.0 22.221.38.233 1


http server enable
http 10.1.17.0 255.255.255.0 inside


no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec


crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address cryptomap_$$$_10
crypto map outside_map 10 set peer
crypto map outside_map 10 set transform-set ESP-DES-MD5


crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address cryptomap_hq_30
crypto map outside_map 30 set peer
crypto map outside_map 30 set transform-set ESP-DES-MD5


crypto map outside_map interface outside


isakmp enable outside
isakmp identity address
isakmp nat-traversal 20


isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400


isakmp key $$$$$$$$$$$$$$$$$$    netmask 255.255.255.255 no-xauth no-config-mode
isakmp key $$$$$$$$$$$$$$$$$$$$$ address X>X>X> netmask 255.255.255.255 no-xauth no-config-mode


dhcpd address 10.1.173.101-10.1.173.254 inside
dhcpd enable inside
dhcpd lease 86400
dhcpd ping_timeout 750
dhcpd dns 10.1.17.20 X>X>X>
dhcp domain $$$.local


ssh 0.0.0.0 0.0.0.0 outside
telnet  0.0.0.0 0.0.0.0 outside


telnet  0.0.0.0 0.0.0.0 inside

Correct Answer by Bob Bagheri about 6 years 10 months ago

In order for SSH to work on a PIX/ASA, you need to configure AAA.  Authentication controls access by requiring valid  user credentials, which are typically a username and password.  I believe you can use the username "pix" on the 506E if no username is configured.




1.  crypto key generate rsa modulus modulus_size

2.  ssh source_IP_address mask source_interface

3.   ssh timeout minutes

4.  ssh  version version_number


This is the step I think you are missing:

5.  aaa authentication {telnet | ssh | http | serial} console {LOCAL |

server_group [LOCAL]}



Here is the link to more information:

http://www.cisco.com/en/US/partner/docs/security/asa/asa70/configuration/guide/mgaccess.html#wp1056599


HTH,

Bob Bagheri

Correct Answer by Federico Coto F... about 6 years 10 months ago

Yes, the configuration is correct but... do you have connectivity to the outside IP?  Can you PING it?

Can you connect to the inside IP from the inside LAN?


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Federico Coto F... Fri, 05/28/2010 - 12:14
User Badges:
  • Green, 3000 points or more

Hi,


You're not going to be able to telnet to the outside interface (this is by design).

But you should be able to SSH.


For SSH, besides the hostname/domain, you need to generate the RSA keys:


crypto key generate rsa


Federico.

Charlie Mayes Fri, 05/28/2010 - 12:26
User Badges:

                        Is my config right To ssh to the device?   I have already done the ca generate rsa key 1024

Correct Answer
Federico Coto F... Fri, 05/28/2010 - 12:31
User Badges:
  • Green, 3000 points or more

Yes, the configuration is correct but... do you have connectivity to the outside IP?  Can you PING it?

Can you connect to the inside IP from the inside LAN?


Federico.

Jennifer Halim Sat, 05/29/2010 - 00:25
User Badges:
  • Cisco Employee,

Wont be able to ping because there is "icmp deny any outside" which will blocked ping to the outside interface.


I also tried to SSH on the PIX outside interface, and even TCP 3 way handshake is not completed.


Is the router in front of the PIX blocking SSH access?

Charlie Mayes Sat, 05/29/2010 - 14:33
User Badges:

               Thanks Man,

 

                                I just had to generate the ca key again because the first time I guess it must have gotten corrupted. After I did that SSH worked fine.

Correct Answer
Bob Bagheri Sat, 05/29/2010 - 07:20
User Badges:

In order for SSH to work on a PIX/ASA, you need to configure AAA.  Authentication controls access by requiring valid  user credentials, which are typically a username and password.  I believe you can use the username "pix" on the 506E if no username is configured.




1.  crypto key generate rsa modulus modulus_size

2.  ssh source_IP_address mask source_interface

3.   ssh timeout minutes

4.  ssh  version version_number


This is the step I think you are missing:

5.  aaa authentication {telnet | ssh | http | serial} console {LOCAL |

server_group [LOCAL]}



Here is the link to more information:

http://www.cisco.com/en/US/partner/docs/security/asa/asa70/configuration/guide/mgaccess.html#wp1056599


HTH,

Bob Bagheri

Charlie Mayes Sat, 05/29/2010 - 14:34
User Badges:

Thanks Man,

  

                                I just had to generate the ca key again because the first time I did it it must have got corrupted. After I did that SSH worked fine.

Charlie Mayes Tue, 06/01/2010 - 09:57
User Badges:

                     Sorry man but, I am having the same issue. Whenever I reboot the firewall is does not keep the ca generate rsa key 2048. I have to run it again for the SSH to start working everytime After I reload the firewall. WHY???  I have also performed a     (write memory before I reload the firewall).

Federico Coto F... Tue, 06/01/2010 - 10:02
User Badges:
  • Green, 3000 points or more

What version are you running?

Check with the ''sh version'' command.


Federico.

Federico Coto F... Wed, 06/02/2010 - 06:23
User Badges:
  • Green, 3000 points or more

When you generate the RSA keys for SSH it works correct?

Then you should see such key with the command: sh cry key mypubkey rsa''


If you reload the PIX, then you're not able to SSH anymore and have to regenerate the keys?

After rebooting the PIX and before regenerating the keys again, do you still see the public key with the ''sh cry key mypubkey rsa'' command?


You don't have to be regenerating the keys everytime the PIX restarts, you might be hitting a bug.


Federico.

Charlie Mayes Wed, 06/02/2010 - 07:15
User Badges:

                        Hello Federico,


                             I had to use the command below for my PIX but, the keys are there. Maybe there is a bug. I will just replace that firewall with a another one because I have to access my remote sites with using the inside interface.


sh ca mypubkey rsa

Federico Coto F... Wed, 06/02/2010 - 08:23
User Badges:
  • Green, 3000 points or more

Yes.

I would recommend you to open a TAC case.


Cheers.


Federico.

Actions

This Discussion