02-12-2003 06:57 PM - edited 02-20-2020 10:33 PM
Howdy;
Can anyone give me some quick pointers on the configuration of either the PIX or the SSH client (SSH.com) for access from inside?
Client appears to connect and host displays connect message including the correct time of the last attempted login, but no command prompt is ever returned.
Both client and pix501 are essentially default config except for site-specific IP, login info, etc.
02-13-2003 03:19 AM
Here is how I recently configured SSH to several PIX501's w/ 6.2, no AAA. I use Secure CRT from VanDyke as my SSH Client on WIN2K Pro.
Remember, without a AAA server, there is no individual username, the username is always "pix" + the configured "telnet" password:
1. Modify the hostname and domin-name to your specifications, and create a telnet password using the "passwrd" command.
2. Generate the RSA key-pair
{conf t} ca generate rsa key
3. If you want to view the key, "show ca mypubkey rsa"
4. The RSA key needs to be saved with an additional command "ca save all" or it will not write to mem
{conf t} ca save all
5. Configure ssh acl's to permit hosts or networks to access the pix via ssh
{conf t} ssh
6. Modify the session inactivity timer if necessary
{conf t} ssh timeout
7. Test with ssh client using ssh1 (and 3des)
Should work........good luck.
Scott
02-13-2003 05:23 AM
Thanks Scott, I'll give that a try when I do set up ssh to the pix.
A word of clarification: I'm attempting to set up ssh from an internal client to an external host outside of my network rather than to the PIX itself. It appears that the pix is blocking traffic, but it may well be that the client needs to be configured to go through the pix.
If anyone can help me out I'd appreaciate it.
02-13-2003 09:12 AM
Do you have the 3des feature key? If you don't, your ssh client might be configured for 3des only, and sensing weaker crypto levels, it may auto fail - my 501 at home only has single des key, and putty was failing against it until I tweaked it
02-13-2003 12:24 PM
Thanks, I'll look at that when I do ultimately set up SSH to the pix itself.
My concern today however is getting the SSH client to connect to a host outside of my network. Any ideas?
02-14-2003 06:26 AM
Some SSH-Server are doing a reverse dns lookup using the ip address of the connecting ssh client. This is a kind of authentication feature.
If the ip address of your client is not registered in dns your connection will fail. Nevertheless, sometimes it is possible to disable this feature.
Edgar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide