Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSH tcpwrapped on Pix 501

Hi, I am working on a Pix 501 via a remote ssh connection, all was fine until I issued a reload command. Now I cannot get access to the PIX via SSH and a nmap scan shows port 22 is open but the service shows tcpwrapped. I have never seen this before, anyone know how to clear it? Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: SSH tcpwrapped on Pix 501

Looks like you have not saved the SSH key and reloaded the PIX. After that you will not be able to login again until you regenerated the keys again.

If you have console access you can see the keys by typing:

show ca mypubkey rsa

If it does not show any key, then you do not have one.

sincerely

Patrick

5 REPLIES
Silver

Re: SSH tcpwrapped on Pix 501

hi,

Was the config saved before the reload? If not, then you will have to regenerate the ssh keys.

regards

John

New Member

Re: SSH tcpwrapped on Pix 501

John, yes, I did a write memory just before the reload. Can you tell me what tcpwrapped means?

I have never seen this before. Thanks, Mitchell

Re: SSH tcpwrapped on Pix 501

You have to save the ssh keys with the following command:

ca save all

To regenerate the keys use:

ca gen rsa key 1024

Reference:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/c.html#wp1025120

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sysmgmt.html#wp1034079

The write memory does not save the ssh keys.

To use SSH, your PIX Firewall must have a DES or 3DES activation key and you must generate an RSA key-pair for the PIX Firewall before clients can connect to the PIX Firewall console. Use the ca generate rsa key 512 command to generate a key; change the modulus size from 512, as needed. After generating the RSA key, save the key using the ca save all command.

sincerely

Patrick

New Member

Re: SSH tcpwrapped on Pix 501

Hi Patrick, thanks for your post. My pix does have a 3DES activation key. I have been using SSH on this pix for several days with PuTTY and I did not generate an RSA key-pair, perhaps someone else did before me. It was working fine until I issued the reload command via SSH. When the RSA keys are missing do you get this issue with "tcpwrapped"?

Re: SSH tcpwrapped on Pix 501

Looks like you have not saved the SSH key and reloaded the PIX. After that you will not be able to login again until you regenerated the keys again.

If you have console access you can see the keys by typing:

show ca mypubkey rsa

If it does not show any key, then you do not have one.

sincerely

Patrick

557
Views
0
Helpful
5
Replies