×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Accessing remote console with ssh instead of telnet

Unanswered Question
Apr 1st, 2002
User Badges:

Hi all.


How can I configure pix 520 to access the remote console through an interface via ssh instead of telnet?


Thanks in advance.


José Luis.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jerry.roy Mon, 04/01/2002 - 08:47
User Badges:

I wouldn't go with such a small key though. Try 1024 or above as a minimum.


jerry.roy Mon, 04/01/2002 - 08:48
User Badges:

I wouldn't go with such a small key though. Try 1024 or above as a minimum.


jldediego Mon, 04/01/2002 - 08:49
User Badges:

Hi Rob.


The matter is that the most recent version for pix software we have is 5.0.3, so that ssh command is not available in that version.


Would you know of another alternative configuration?


Thanks a lot in any case.


José Luis De Diego.



jerry.roy Mon, 04/01/2002 - 09:08
User Badges:

The only choices you have are to upgrade the code or add a Box that allows only ssh to it (maybe a Linux Box) then have the PIX only allow telnet from that box.


Just a Thought

Well there are a couple of ways to get to your PIX from the world that I know of.


The first, which is less secure, is to use a static nat to a private IP on your LAN, and then allow some sort of remote control (VNC, Netmeeting, Terminal Service, PCAnywhere, etc.) traffic through to that private IP. Once you remote control the PC on your LAN you can telnet to the inside interface of your PIX.


The other way is to VPN through your PIX to your LAN and then remote control a PC on your LAN, then telnet to the inside interface of your PIX. This is much more secure because all traffic is encrypted.


I'm sure there are other ways, but I hope this helps!


Rob

srittenberg Mon, 04/01/2002 - 09:28
User Badges:

telnet is not secure. You should only configure to allow telnet from the inside, not the outside interface. For the outside, ssh should be the only thing that's allowed. To configure ssh:


ssh ip-allowed 255.255.255.255 outside


you may use ssh client like SecureCRT or use telnet on port 22.


for example: telnet 192.168.10.10 22

jldediego Tue, 04/02/2002 - 01:20
User Badges:

Ok, now I have a good overview of the problem.


Thanks to all. The problem I had was just the possible sniffers from inside users. Unfortunately our structured and horizontal cabling don't allow me to sepparate easily the management segment from other user's ones. But I still can ssh a secure box at another secure segment, and from that telnet securely the firewalls. Always from inside or dmzs interfaces. I think it's the easiest and quickest way. The VPN is the best solution, but not inmmediate, unfortunately.


Thanks a lot to all.


Greetings and regards.


José Luis De Diego.

Actions

This Discussion