Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
924
Views
0
Helpful
5
Replies

SSH client fails to connect through pix 501

dgrigg
Level 1
Level 1

‎02-12-2003 06:57 PM - edited ‎02-20-2020 10:33 PM

Howdy;

Can anyone give me some quick pointers on the configuration of either the PIX or the SSH client (SSH.com) for access from inside?

Client appears to connect and host displays connect message including the correct time of the last attempted login, but no command prompt is ever returned.

Both client and pix501 are essentially default config except for site-specific IP, login info, etc.

0 Helpful
5 Replies 5

scotthale
Level 1
Level 1

‎02-13-2003 03:19 AM

Here is how I recently configured SSH to several PIX501's w/ 6.2, no AAA. I use Secure CRT from VanDyke as my SSH Client on WIN2K Pro.

Remember, without a AAA server, there is no individual username, the username is always "pix" + the configured "telnet" password:

1. Modify the hostname and domin-name to your specifications, and create a telnet password using the "passwrd" command.

2. Generate the RSA key-pair

{conf t} ca generate rsa key (I use 1024)

3. If you want to view the key, "show ca mypubkey rsa"

4. The RSA key needs to be saved with an additional command "ca save all" or it will not write to mem

{conf t} ca save all

5. Configure ssh acl's to permit hosts or networks to access the pix via ssh

{conf t} ssh

6. Modify the session inactivity timer if necessary

{conf t} ssh timeout (1-60)

7. Test with ssh client using ssh1 (and 3des)

Should work........good luck.

Scott

0 Helpful

dgrigg
Level 1
Level 1
In response to scotthale

‎02-13-2003 05:23 AM

Thanks Scott, I'll give that a try when I do set up ssh to the pix.

A word of clarification: I'm attempting to set up ssh from an internal client to an external host outside of my network rather than to the PIX itself. It appears that the pix is blocking traffic, but it may well be that the client needs to be configured to go through the pix.

If anyone can help me out I'd appreaciate it.

0 Helpful

mostiguy
Level 6
Level 6
In response to dgrigg

‎02-13-2003 09:12 AM

Do you have the 3des feature key? If you don't, your ssh client might be configured for 3des only, and sensing weaker crypto levels, it may auto fail - my 501 at home only has single des key, and putty was failing against it until I tweaked it

0 Helpful

dgrigg
Level 1
Level 1
In response to mostiguy

‎02-13-2003 12:24 PM

Thanks, I'll look at that when I do ultimately set up SSH to the pix itself.

My concern today however is getting the SSH client to connect to a host outside of my network. Any ideas?

0 Helpful

reinke
Level 1
Level 1
In response to dgrigg

‎02-14-2003 06:26 AM

Some SSH-Server are doing a reverse dns lookup using the ip address of the connecting ssh client. This is a kind of authentication feature.

If the ip address of your client is not registered in dns your connection will fail. Nevertheless, sometimes it is possible to disable this feature.

Edgar

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card