cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4466
Views
0
Helpful
14
Replies

Can't telnet or SSH to my Cisco PIX 506E

Charlie Mayes
Level 1
Level 1

                     Any connection over the internet or trying to cnnect fails using Putty or Teraterm.

interface ethernet0 auto
interface ethernet1 100full

nameif ethernet0 outside security0
nameif ethernet1 inside security100

enable password $$$$$$$$$$
passwd $$$$$$$$
hostname $$$$$$
domain-name $$$$.local

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

names
name 10.255.255.0 mike
name 10.1.170.0 harry
name 10.10.0.0 tom


access-list cryptomap_$$$$_10 permit ip 10.1.17.0 255.255.255.0 $$$l 255.255.255.0
access-list inside_no_nat permit ip 10.1.17.0 255.255.255.0 $$$ 255.255.255.0

access-list cryptomap_arc_20 permit ip 10.1.17.0 255.255.255.0 $$$ 255.255.255.0

access-list cryptomap_$$_30 permit ip 10.1.17.0 255.255.255.0 $$$$ 255.255.255.0
access-list cryptomap_$$_30 permit ip 10.1.17.0 255.255.255.0 $$$ 255.255.255.0

access-list inside_no_nat permit ip 10.1.17.0 255.255.255.0 $$$ 255.255.255.0
access-list inside_no_nat permit ip 10.1.17.0 255.255.255.0 $$$ 255.255.255.0


icmp deny any outside

pager lines 24

mtu outside 1500
mtu inside 1500

ip address outside 22.221.38.234 255.255.255.248
ip address inside 10.1.173.1 255.255.255.0

ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400

global (outside) 1 interface
nat (inside) 0 access-list inside_no_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 22.221.38.233 1

http server enable
http 10.1.17.0 255.255.255.0 inside

no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address cryptomap_$$$_10
crypto map outside_map 10 set peer
crypto map outside_map 10 set transform-set ESP-DES-MD5

crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address cryptomap_hq_30
crypto map outside_map 30 set peer
crypto map outside_map 30 set transform-set ESP-DES-MD5

crypto map outside_map interface outside

isakmp enable outside
isakmp identity address
isakmp nat-traversal 20

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

isakmp key $$$$$$$$$$$$$$$$$$    netmask 255.255.255.255 no-xauth no-config-mode
isakmp key $$$$$$$$$$$$$$$$$$$$$ address X>X>X> netmask 255.255.255.255 no-xauth no-config-mode

dhcpd address 10.1.173.101-10.1.173.254 inside
dhcpd enable inside
dhcpd lease 86400
dhcpd ping_timeout 750
dhcpd dns 10.1.17.20 X>X>X>
dhcp domain $$$.local

ssh 0.0.0.0 0.0.0.0 outside
telnet  0.0.0.0 0.0.0.0 outside

telnet  0.0.0.0 0.0.0.0 inside

2 Accepted Solutions

Accepted Solutions

Yes, the configuration is correct but... do you have connectivity to the outside IP?  Can you PING it?

Can you connect to the inside IP from the inside LAN?

Federico.

View solution in original post

Bob Bagheri
Level 1
Level 1

In order for SSH to work on a PIX/ASA, you need to configure AAA.  Authentication controls access by requiring valid  user credentials, which are typically a username and password.  I believe you can use the username "pix" on the 506E if no username is configured.

1.  crypto key generate rsa modulus modulus_size

2.  ssh source_IP_address mask source_interface

3.   ssh timeout minutes

4.  ssh  version version_number

This is the step I think you are missing:

5.  aaa authentication {telnet | ssh | http | serial} console {LOCAL |

server_group [LOCAL]}

Here is the link to more information:

http://www.cisco.com/en/US/partner/docs/security/asa/asa70/configuration/guide/mgaccess.html#wp1056599

HTH,

Bob Bagheri

View solution in original post

14 Replies 14

Hi,

You're not going to be able to telnet to the outside interface (this is by design).

But you should be able to SSH.

For SSH, besides the hostname/domain, you need to generate the RSA keys:

crypto key generate rsa

Federico.

                        Is my config right To ssh to the device?   I have already done the ca generate rsa key 1024

Yes, the configuration is correct but... do you have connectivity to the outside IP?  Can you PING it?

Can you connect to the inside IP from the inside LAN?

Federico.

Wont be able to ping because there is "icmp deny any outside" which will blocked ping to the outside interface.

I also tried to SSH on the PIX outside interface, and even TCP 3 way handshake is not completed.

Is the router in front of the PIX blocking SSH access?

               Thanks Man,

 

                                I just had to generate the ca key again because the first time I guess it must have gotten corrupted. After I did that SSH worked fine.

Bob Bagheri
Level 1
Level 1

In order for SSH to work on a PIX/ASA, you need to configure AAA.  Authentication controls access by requiring valid  user credentials, which are typically a username and password.  I believe you can use the username "pix" on the 506E if no username is configured.

1.  crypto key generate rsa modulus modulus_size

2.  ssh source_IP_address mask source_interface

3.   ssh timeout minutes

4.  ssh  version version_number

This is the step I think you are missing:

5.  aaa authentication {telnet | ssh | http | serial} console {LOCAL |

server_group [LOCAL]}

Here is the link to more information:

http://www.cisco.com/en/US/partner/docs/security/asa/asa70/configuration/guide/mgaccess.html#wp1056599

HTH,

Bob Bagheri

Thanks Man,

  

                                I just had to generate the ca key again because the first time I did it it must have got corrupted. After I did that SSH worked fine.

Wonderful, glad to hear it.


Re,
Bob

                     Sorry man but, I am having the same issue. Whenever I reboot the firewall is does not keep the ca generate rsa key 2048. I have to run it again for the SSH to start working everytime After I reload the firewall. WHY???  I have also performed a     (write memory before I reload the firewall).

What version are you running?

Check with the ''sh version'' command.

Federico.

Cisco PIX Firewall Version 6.3(5)

When you generate the RSA keys for SSH it works correct?

Then you should see such key with the command: sh cry key mypubkey rsa''

If you reload the PIX, then you're not able to SSH anymore and have to regenerate the keys?

After rebooting the PIX and before regenerating the keys again, do you still see the public key with the ''sh cry key mypubkey rsa'' command?

You don't have to be regenerating the keys everytime the PIX restarts, you might be hitting a bug.

Federico.

                        Hello Federico,

                             I had to use the command below for my PIX but, the keys are there. Maybe there is a bug. I will just replace that firewall with a another one because I have to access my remote sites with using the inside interface.

sh ca mypubkey rsa

Yes.

I would recommend you to open a TAC case.

Cheers.


Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: