04-01-2002 06:50 AM - edited 03-08-2019 10:11 PM
Hi all.
How can I configure pix 520 to access the remote console through an interface via ssh instead of telnet?
Thanks in advance.
José Luis.
04-01-2002 08:03 AM
Here is the config I use:
domain-name mydomain.com
ca generate rsa key 512
ssh 150.1.1.0 255.255.255.0 outside
ca save all
To clear the rsa key and start over:
ca zeroize rsa
04-01-2002 08:47 AM
I wouldn't go with such a small key though. Try 1024 or above as a minimum.
04-01-2002 08:48 AM
I wouldn't go with such a small key though. Try 1024 or above as a minimum.
04-01-2002 08:49 AM
Hi Rob.
The matter is that the most recent version for pix software we have is 5.0.3, so that ssh command is not available in that version.
Would you know of another alternative configuration?
Thanks a lot in any case.
José Luis De Diego.
04-01-2002 09:08 AM
The only choices you have are to upgrade the code or add a Box that allows only ssh to it (maybe a Linux Box) then have the PIX only allow telnet from that box.
Just a Thought
04-01-2002 09:24 AM
Well there are a couple of ways to get to your PIX from the world that I know of.
The first, which is less secure, is to use a static nat to a private IP on your LAN, and then allow some sort of remote control (VNC, Netmeeting, Terminal Service, PCAnywhere, etc.) traffic through to that private IP. Once you remote control the PC on your LAN you can telnet to the inside interface of your PIX.
The other way is to VPN through your PIX to your LAN and then remote control a PC on your LAN, then telnet to the inside interface of your PIX. This is much more secure because all traffic is encrypted.
I'm sure there are other ways, but I hope this helps!
Rob
04-01-2002 09:28 AM
telnet is not secure. You should only configure to allow telnet from the inside, not the outside interface. For the outside, ssh should be the only thing that's allowed. To configure ssh:
ssh ip-allowed 255.255.255.255 outside
you may use ssh client like SecureCRT or use telnet on port 22.
for example: telnet 192.168.10.10 22
04-02-2002 01:20 AM
Ok, now I have a good overview of the problem.
Thanks to all. The problem I had was just the possible sniffers from inside users. Unfortunately our structured and horizontal cabling don't allow me to sepparate easily the management segment from other user's ones. But I still can ssh a secure box at another secure segment, and from that telnet securely the firewalls. Always from inside or dmzs interfaces. I think it's the easiest and quickest way. The VPN is the best solution, but not inmmediate, unfortunately.
Thanks a lot to all.
Greetings and regards.
José Luis De Diego.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: