Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSH client fails to connect through pix 501


Can anyone give me some quick pointers on the configuration of either the PIX or the SSH client ( for access from inside?

Client appears to connect and host displays connect message including the correct time of the last attempted login, but no command prompt is ever returned.

Both client and pix501 are essentially default config except for site-specific IP, login info, etc.

New Member

Re: SSH client fails to connect through pix 501

Here is how I recently configured SSH to several PIX501's w/ 6.2, no AAA. I use Secure CRT from VanDyke as my SSH Client on WIN2K Pro.

Remember, without a AAA server, there is no individual username, the username is always "pix" + the configured "telnet" password:

1. Modify the hostname and domin-name to your specifications, and create a telnet password using the "passwrd" command.

2. Generate the RSA key-pair

{conf t} ca generate rsa key (I use 1024)

3. If you want to view the key, "show ca mypubkey rsa"

4. The RSA key needs to be saved with an additional command "ca save all" or it will not write to mem

{conf t} ca save all

5. Configure ssh acl's to permit hosts or networks to access the pix via ssh

{conf t} ssh

6. Modify the session inactivity timer if necessary

{conf t} ssh timeout (1-60)

7. Test with ssh client using ssh1 (and 3des)

Should work........good luck.


New Member

Re: SSH client fails to connect through pix 501

Thanks Scott, I'll give that a try when I do set up ssh to the pix.

A word of clarification: I'm attempting to set up ssh from an internal client to an external host outside of my network rather than to the PIX itself. It appears that the pix is blocking traffic, but it may well be that the client needs to be configured to go through the pix.

If anyone can help me out I'd appreaciate it.


Re: SSH client fails to connect through pix 501

Do you have the 3des feature key? If you don't, your ssh client might be configured for 3des only, and sensing weaker crypto levels, it may auto fail - my 501 at home only has single des key, and putty was failing against it until I tweaked it

New Member

Re: SSH client fails to connect through pix 501

Thanks, I'll look at that when I do ultimately set up SSH to the pix itself.

My concern today however is getting the SSH client to connect to a host outside of my network. Any ideas?

New Member

Re: SSH client fails to connect through pix 501

Some SSH-Server are doing a reverse dns lookup using the ip address of the connecting ssh client. This is a kind of authentication feature.

If the ip address of your client is not registered in dns your connection will fail. Nevertheless, sometimes it is possible to disable this feature.


CreatePlease to create content