Solved

Pix 501 SSH and Telnet Connections

Posted on 2003-10-22
4
35,601 Views
Last Modified: 2013-11-16
I have a PIX 501 and I thought i had programed my pix to allow telnet and SSH connections so I can remotely configure my pix. Is it possible I have missed a line. When I try to connect to the PIX either internally or externally using Putty it does not connect properly. When I use a cmd prompt and a telnet session it tries to connect to the pix but then after a few seconds (20) I get a connect failed. Could not open port open a connection on host port 23.

Here is my code...
where a.a.a.a = my remote web server external IP
b.b.b.b = my remote web server internal IP
c.c.c.c = my remote Pix outside address IP
d.d.d.d = my local PIX506 address
e.e.e.e = my DNS gateway

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password CY83yzgVOMZsF9pj encrypted
passwd CY83yzgVOMZsF9pj encrypted
hostname hostname
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_out permit icmp any any
access-list 100 permit icmp any any
access-list 100 permit tcp any host a.a.a.a eq www
access-list 100 permit tcp any host a.a.a.a eq pcanywhere-data
access-list 100 permit tcp any host a.a.a.a eq 3389
access-list 100 permit udp any host a.a.a.a eq pcanywhere-status
access-list 100 permit tcp any host a.a.a.a eq 5632
access-list acl_in permit tcp any any eq www
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside c.c.c.c 255.255.255.224
ip address inside 172.32.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) a.a.a.a b.b.b.b netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 e.e.e.e 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet d.d.d.d 255.255.255.255 outside
telnet 172.30.0.0 255.255.0.0 inside
telnet timeout 5
ssh d.d.d.d 255.255.255.255 outside
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:8108c4e9d1c99273323de2cb24d1ff75
: end


Also how do I limit my Windows Terminal Client Services access to my domain only? Can I change this line from access-list 100 permit tcp any host a.a.a.a eq 3389 to access-list 100 permit tcp d.d.d.d a.a.a.a eq 3389?

Thanks in advance
t.
0
Comment
Question by:thomas610
  • 2
4 Comments
 
LVL 2

Expert Comment

by:sh00t3r
ID: 9602033
You created the specific entries for turning on Telnet and SSH but you didn't configure ACL's to allow the traffic in.

And yes you can configure the terminal service ACL to only allow access to the specific ip range.

0
 

Author Comment

by:thomas610
ID: 9629097
any advice on why my ssh does not want to connect. I have been trying to connect using Putty and 1 or 2 DES. When I go to connect I just get a screen flash as the connection happens.

ssh d.d.d.d 255.255.255.255 outside - is my local PIX506 address

I have my telnet working properly.

thanks -

t.
0
 
LVL 2

Accepted Solution

by:
sh00t3r earned 250 total points
ID: 9630685
Mmm. Have you tried using a different SSH client? perhaps the standardized, non-commercial version, of SSH. Available here... I've seen putty give me a ton of problems before.

http://www.ssh.com/support/downloads/secureshellwks/non-commercial.html

0
 

Expert Comment

by:al3x_
ID: 9967036
well, according to Cisco  PIX provides  SSH1 protocol, single DES (user "pix" to get initially login). I've had some positive results with freeware teraterm+ttssh (SSH 1.5 protocol), commercial Secure CRT ( in ssh1 mode single DES) and linux command line client.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now