Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
9725
Views
10
Helpful
1
Comments

How to configure SSH to the PIX Firewall for remote management

TCC_2
Level 10
Level 10

‎06-18-2009 04:03 PM - edited ‎03-08-2019 06:07 PM

Resolution

Complete these steps to configure Secure Shell (SSH) to the PIX Firewall:

  1. Before a connection to the PIX is made through SSH, these prerequisites must be met:
       
    • The PIX must run version 5.2 or later.

    • The PIX must have a VPN Data Encryption Standard (DES) license, as indicated in the output of the show version command.

      Note: Refer to       Product License Registration in order to request a DES license.
       
  2. Once all requirements are met, issue these commands on the PIX:
    hostname domain-name
    !--- Generate a key for the SSH encryption to use.
    ca generate rsa key 1024
    !--- Allow the desired host to connect to the PIX on the interface specified.
    ssh ip_address mask interface
    !--- Save your configuration.
    ca save all
    write memory
     

    This is an example:

     
    hostname mypix
    domain-name cisco.com
    ca generate rsa key 1024
    ssh 10.0.0.0 255.255.255.0 inside
    ca save all
    write memory

Refer to the SSH - Inside or Outside section of How To Perform Authentication and Enabling on the Cisco Secure PIX Firewall (5.2 Through 6.2) for more information.

Note: The default username for SSH local authentication is PIX. Refer to the Configuring Local SSH section of How To Perform Authentication and Enabling on the Cisco Secure PIX Firewall (5.2 Through 6.2) for more information.

Occasionally, when a username and password is provided in the SSH client, an SSH window appears and then disappears. In order to resolve this problem, issue the ca zeroize rsa command in order to remove any existing RSA keys on the PIX. Then, issue the ca zeroize rsa command again in order to regenerate the RSA keys.

If the PIX is configured for port forwarding with the static command, for port 22, then the configuration of the SSH to the PIX does not work.

In PIX version 7.0 and later, this is the command needed to generate RSA key:

crypto key generate rsa [usage-keys | general-keys] [label key-pair-label] [modulus size] [noconfirm

This command is configured from global configuration mode.

Refer to PIX/ASA 7.x: SSH/Telnet on the Inside and Outside Interface Configuration Example for more information and a configuration example.

Problem Type

Troubleshoot software feature

Configure

Product Family

Firewall - PIX 500 series

ASA Hardware & Software

Labels:
Comments
Matt Wilson
Level 1
Level 1
‎01-19-2019 10:34 PM

Thank you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents