Re: How to configure PIX telnet from ouside interface?

xiexiaofeng · ‎03-30-2004

I have try shown below,but failed.

ssh x.x.x.x x.x.x.x outside

ssh timeout 5

My Topology is:

LAN-(inside)PIX(outside)-(ethernet)ROUTER(WAN)--Internet

I want to telnet PIX(outside) from router(ethernet).

How to do it?Thanks a lot everybody.

Waiting for your useful help.

Mailto: jacky_xie@cn.cnlink.net

j.hato · ‎03-30-2004

Hi this is the step to SSH:

1. Generate RSA key,

> ca generate rsa key

you can use 512,1024,2048 (2048 preferred)

2. Now you'll need to save using:

> ca save all

3. You'll need to configure ssh access on the PIX, so do the following:

> ssh 255.255.255.255 outside

OR

> ssh 0.0.0.0 0.0.0.0 outside - With this you can connect from any public address.

4. You can view you generated public key on the PIX by issuing:

> sho ca mypubkey rsa

xiexiaofeng · ‎04-03-2004

According for your helpful instance.But I still can not telnet to pix from the outside interface.My configuration procedure as shown:

pixfirewall# config t

pixfirewall(config)# ca generate rsa key 512

Please use domain-name to configure Domain name first.

pixfirewall(config)# domain-name pix.com

pixfirewall(config)# ca generate rsa key 512

% Key pair was generated at: 01:36:51 UTC Apr 3 2004

Key name: pixfirewall.cisco.com

Usage: General Purpose Key

Key Data:

305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00ec6c10 8b82cd64

148071f3 76228c13 5d98d156 c1ee555c c6df2f65 38345e12 f2b293c9 db77a780

fa910c77 bcd7d4eb 6bbcd02b 7a529829 e4fb3a09 3e010349 11020301 0001

Remove all keys from the key ring ? [yes]

Keypair generation process begin.

.Success.

pixfirewall(config)# ca save all

pixfirewall(config)#

pixfirewall(config)# ssh 0.0.0.0 0.0.0.0 outside

pixfirewall(config)#

pixfirewall# show run

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxx

passwd xxxxx

hostname pixfirewall

domain-name pix.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 192.168.100.1 255.255.255.0

ip address inside 192.168.1.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxx

: end

pixfirewall#

Any other wrong with my configuration?

Thanks a lot !

j.hato · ‎04-05-2004

Hi,

Looks fine with the config. Have you try to used "putty" (telnet program for ssh-can be search at google). Try to ssh from putty.

HATO

a.alekseev · ‎03-31-2004

you can not telnet to PIX(outside)

you need use ssh, or you may establish vpn connection to PIX and when use telnet.

Aleksey

tholmes · ‎04-15-2004

Hi,

I usually configure the PIX for CVPN Client access, then allow addresses from the dialup pool to telnet from the inside

telnet X.X.X.X 255.255.255.255 inside

Then add

manaegement-access inside

You can then establish a VPN from a client and then telnet to the inside address

This is probably old news but it might help

Cheers Tony