?
Solved

Pix 501 SSH and Telnet Connections

Posted on 2003-10-22
4
Medium Priority
?
35,659 Views
Last Modified: 2013-11-16
I have a PIX 501 and I thought i had programed my pix to allow telnet and SSH connections so I can remotely configure my pix. Is it possible I have missed a line. When I try to connect to the PIX either internally or externally using Putty it does not connect properly. When I use a cmd prompt and a telnet session it tries to connect to the pix but then after a few seconds (20) I get a connect failed. Could not open port open a connection on host port 23.

Here is my code...
where a.a.a.a = my remote web server external IP
b.b.b.b = my remote web server internal IP
c.c.c.c = my remote Pix outside address IP
d.d.d.d = my local PIX506 address
e.e.e.e = my DNS gateway

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password CY83yzgVOMZsF9pj encrypted
passwd CY83yzgVOMZsF9pj encrypted
hostname hostname
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_out permit icmp any any
access-list 100 permit icmp any any
access-list 100 permit tcp any host a.a.a.a eq www
access-list 100 permit tcp any host a.a.a.a eq pcanywhere-data
access-list 100 permit tcp any host a.a.a.a eq 3389
access-list 100 permit udp any host a.a.a.a eq pcanywhere-status
access-list 100 permit tcp any host a.a.a.a eq 5632
access-list acl_in permit tcp any any eq www
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside c.c.c.c 255.255.255.224
ip address inside 172.32.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) a.a.a.a b.b.b.b netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 e.e.e.e 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet d.d.d.d 255.255.255.255 outside
telnet 172.30.0.0 255.255.0.0 inside
telnet timeout 5
ssh d.d.d.d 255.255.255.255 outside
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:8108c4e9d1c99273323de2cb24d1ff75
: end


Also how do I limit my Windows Terminal Client Services access to my domain only? Can I change this line from access-list 100 permit tcp any host a.a.a.a eq 3389 to access-list 100 permit tcp d.d.d.d a.a.a.a eq 3389?

Thanks in advance
t.
0
Comment
Question by:thomas610
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 2

Expert Comment

by:sh00t3r
ID: 9602033
You created the specific entries for turning on Telnet and SSH but you didn't configure ACL's to allow the traffic in.

And yes you can configure the terminal service ACL to only allow access to the specific ip range.

0
 

Author Comment

by:thomas610
ID: 9629097
any advice on why my ssh does not want to connect. I have been trying to connect using Putty and 1 or 2 DES. When I go to connect I just get a screen flash as the connection happens.

ssh d.d.d.d 255.255.255.255 outside - is my local PIX506 address

I have my telnet working properly.

thanks -

t.
0
 
LVL 2

Accepted Solution

by:
sh00t3r earned 750 total points
ID: 9630685
Mmm. Have you tried using a different SSH client? perhaps the standardized, non-commercial version, of SSH. Available here... I've seen putty give me a ton of problems before.

http://www.ssh.com/support/downloads/secureshellwks/non-commercial.html

0
 

Expert Comment

by:al3x_
ID: 9967036
well, according to Cisco  PIX provides  SSH1 protocol, single DES (user "pix" to get initially login). I've had some positive results with freeware teraterm+ttssh (SSH 1.5 protocol), commercial Secure CRT ( in ssh1 mode single DES) and linux command line client.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses
Course of the Month14 days, 16 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question