Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Opening port 22 in pix 501

I would like to open a port 22 (SSH) on the PIX 501. What commands do I need?

Thanks

8 REPLIES
Gold

Re: Opening port 22 in pix 501

I assume you asking for port 22 (SSH) to be opened through the PIX so that you can connect to an internal device on port 22 or are asking on how to enable SSH on the PIX?

I’ll answer both of my assumptions:

If you are asking to allow port 22 through the PIX then you’ll require an ACL on your outside interface and a static command to map to an internal device listening on port 22.

To enable SSH access on the PIX for remote administration, you’ll need the following:

- Define a hostname

- Define a domain name

- You’ll need to generate public/private RSA keys

- Specify the address allowed to access the PIX via SSH

Example:

In configuration mode:

hostname

domain-name

To generate the RSA keys, make sure that you have DES or 3DES enabled on your PIX – you can check by issuing: sho ver

pix (config) # ca generate rsa key

Key size can be: 512, 768, 1024 or 2048 – The larger the size, the more secure the connection will be.

pix (config) # ca save all

To view your generated RSA keys, issue: show ca mypubkey rsa

To permit access via SSH:

pix (config) # ssh

Ex:

SSH from outside – allowing any SSH connection:

pix (config) # ssh 0 0 outside

To allow a particular outside network access via SSH:

pix (config) # ssh 255.255.255.255 outside

Same for inside clients access via SSH but change the interface name from outside to inside.

To allow port 22 through the PIX to an internal device:

In configuration mode:

access-list outside_in permit tcp any host eq 22

access-group outside_in in interface outside

static (inside,outside) tcp interface 22 22 netmask 255.255.255.255 0 0

If you have available public IP address then you can substitute the with your public IP address and also change the static command appropriately i.e. substitute the interface command to your public IP.

Save with: write mem and also issue: clear xlate

From a security point of view, I would not recommend allowing 'any' connections via SSH. Instead I would recommend allowing a known host i.e. host to host connection.

You can obtain the SSH client freely, go to google and search for putty.exe

I hope all the above helps and let me know how you get on.

Jay

New Member

Re: Opening port 22 in pix 501

Hi thanks for the quick reply, could you tell me exactly which ip this is -

Also, how can I lock it down to a known host as you suggested?

Thanks again

Gold

Re: Opening port 22 in pix 501

, that's the outside interface ip of the pix. you can verify this by looking at "ip address outside xxx.xxx.xxx.xxx "

to further restrict ssh access to the pix,

ssh outside

with the key word outside, it means ssh access is available on the outside interface. in case you want to ssh rather than telnet from the internal network in order to maximise the security level, you can

ssh inside

Gold

Re: Opening port 22 in pix 501

As Jack expalined on his post.

Jay

New Member

Re: Opening port 22 in pix 501

Unable to open ports we followed all the istruction still same problem.

Gold

Re: Opening port 22 in pix 501

according to the latest config, the command below is missing.

ssh outside

e.g.

ssh 10.0.0.1 255.255.255.255 outside

with the command above, any host with ip 10.0.0.1 will be able to initiate ssh session to the pix. further you can apply a network with the command instead of a single host.

Gold

Re: Opening port 22 in pix 501

in case you want to open ssh access for all (testing purpose), you still need to configure it on the pix as below:

ssh 0.0.0.0 0.0.0.0 outside

Cisco Employee

Re: Opening port 22 in pix 501

Looking at your pix config, you cannot ssh to your pix from outside but inside.

Note the following statement:

static (inside,outside) tcp interface ssh 192.168.2.110 ssh

Instead of terminating ssh connection on Pix, it gets bypassed to inside host 192.168.2.110 host.

If you remove this static command form the pix config, then you would be able to access pix via ssh from outside.

Rahul Pathania

rpathani@cisco.com

1123
Views
5
Helpful
8
Replies