PIX 501, SSH, PuTTy and Username
I set up SSH on a PIX 501 using the below config. However when i try to connect to PIX via SSH, SSH asks for a username and password. I don't have a username for the SSH. I only setup a password. If I need to set up an SSH username in PIX's SSH config, how would I? Though I don't think I have to.
Do I need a password? And if not, why do I continue to get the 'access denied'?
Also, do I need a specific port opened to get to the PIX via SSH from the outside?
Thanks in advance.
Cepolly
hostname myfirewall
domain-name mydomain.mytld
ca gen rsa key 1024
ssh x.x.x.x 255.255.255.255 inside
0.0.0.0 0.0.0.0 outside
ssh timeout 60
passwd YourPasswordGoesHere
ca save all
Do I need a password? And if not, why do I continue to get the 'access denied'?
Also, do I need a specific port opened to get to the PIX via SSH from the outside?
Thanks in advance.
Cepolly
hostname myfirewall
domain-name mydomain.mytld
ca gen rsa key 1024
ssh x.x.x.x 255.255.255.255 inside
0.0.0.0 0.0.0.0 outside
ssh timeout 60
passwd YourPasswordGoesHere
ca save all
the default username is "pix"
ASKER
pix does work as the username. Thanks.
I applied this line below:
ssh 0.0.0.0 0.0.0.0 outside
However, I cannot connect from the outside.
Do I need to allow ssh through as part of my access-list?
Thanks,
Cepolly
I applied this line below:
ssh 0.0.0.0 0.0.0.0 outside
However, I cannot connect from the outside.
Do I need to allow ssh through as part of my access-list?
Thanks,
Cepolly
No, you don't need to add ssh to the access-list on the PIX. Do you have an external router that also has an access-list? If yes, then of course that needs to be modified..
Do you get any error message?
Can you connect to it from the inside with PUtty?
How are you setting up Putty? Are you using the correct encrytion? Do you have encryption enabled on the PIX? Use "show ver" and see if DES and/or 3DES is enabled. Setup your putty client appropriately.
Do you get any error message?
Can you connect to it from the inside with PUtty?
How are you setting up Putty? Are you using the correct encrytion? Do you have encryption enabled on the PIX? Use "show ver" and see if DES and/or 3DES is enabled. Setup your putty client appropriately.
Did you setup your client to use SSH1 vs SSH2?
ASKER
ssh1
Have you tried a different SSH client? I use SecureShell from http://www.ssh.com
It's free for personal use..
It's free for personal use..
ASKER
I didn't think I needed to set ut up via an access-list as I was at one point able to get the login prompt.
Yes I can connect from the inside.
Using SSH1
error is just a timeout.
DES is enabled.
Yes I can connect from the inside.
Using SSH1
error is just a timeout.
DES is enabled.
>I was at one point able to get the login prompt
But now you can't?
What changed? Can you reverse any changes and get it back?
But now you can't?
What changed? Can you reverse any changes and get it back?
ASKER
I installed the SSH client from SSH.com. Very nice client.
I get a host unreachable when trying to connect.
I get a host unreachable when trying to connect.
Can you ping the outside interface of the PIX?
Try a traceroute from where you are to the PIX..
Can you https to the PIX to get the web PDM interface?
you would have to add:
http 0.0.0.0 0.0.0.0 outside
Then be sure to remove that as soon as you've completed testing, else lock it down to specific IP addresses.
Are you trying from behind another firewall, or on direct broadband/dialup connection?
Try a traceroute from where you are to the PIX..
Can you https to the PIX to get the web PDM interface?
you would have to add:
http 0.0.0.0 0.0.0.0 outside
Then be sure to remove that as soon as you've completed testing, else lock it down to specific IP addresses.
Are you trying from behind another firewall, or on direct broadband/dialup connection?
ASKER
I already have https set up on a webserver which has a redirect from http to https for that IP.
The IP for the web server and the outside interface are the same.
I'm not sure how I would get PDM working this way.
The IP for the web server and the outside interface are the same.
I'm not sure how I would get PDM working this way.
ASKER
Here is the full config.
I am not sure what has changed other than the reapplication of the rsa cert.
I should be able to connect via ssh.
PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 6ztx/UAvbLi8D0Sn encrypted
passwd 6ztx/UAvbLi8D0Sn encrypted
hostname pixfirewall
domain-name ****.net
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.100 Bigdog
name 192.168.1.3 ***PMS
name 192.168.1.5 OWA***
name 192.168.1.1 APPSERVER
object-group service pcANY tcp
description pcANYwhere
port-object range 65301 65301
port-object eq pcanywhere-data
port-object range pcanywhere-data 5632
object-group service TermServ tcp
description RDP
port-object range 3389 3399
access-list inside_access_in remark outbound
access-list inside_access_in permit tcp any any
access-list letmein remark inbound traffic
access-list letmein permit tcp any host x.x.x.194 eq smtp
access-list letmein permit tcp any host x.x.x.194 eq www
access-list letmein permit tcp any host x.x.x.194 eq https
access-list letmein permit tcp any host x.x.x.194 eq pop3
access-list letmein permit tcp any host x.x.x.194 eq imap4
access-list letmein permit tcp any host x.x.x.194 eq pcanywhere-data
access-list letmein permit tcp any host x.x.x.194 eq 3389
access-list letmein permit udp any host x.x.x.194 eq 3389
access-list letmein permit udp any host x.x.x.194 eq 65301
access-list letmein permit tcp any host x.x.x.194 eq 65301
access-list letmein permit udp any host x.x.x.194 eq 143
access-list letmein permit udp any host x.x.x.194 eq 220
access-list letmein permit tcp any host x.x.x.194 eq 220
access-list letmein permit tcp any host x.x.x.194 eq 585
access-list letmein permit udp any host x.x.x.194 eq 585
access-list letmein permit udp any host x.x.x.194 eq 993
access-list letmein permit tcp any host x.x.x.194 eq 993
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.20 255.255.255.0
ip verify reverse-path interface outside
ip audit name OutAttack attack action drop reset
ip audit interface outside OutAttack
ip audit info action alarm
ip audit attack action alarm
ip local pool ***-VPN-GROUP 192.168.1.200-192.168.1.25
pdm location Bigdog 255.255.255.255 inside
pdm location ***pms 255.255.255.255 inside
pdm location owa*** 255.255.255.255 inside
pdm location APPSERVER 255.255.255.255 inside
pdm location x.x.x.244 255.255.255.255 outside
pdm location x.x.x.244 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) udp interface 143 ***pms 143 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface imap4 ***pms imap4 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 ***pms pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www owa*** www netmask 255.255.255.255 0 0
static (inside,outside) udp interface 3389 owa*** 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 owa*** 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https owa*** https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pcanywhere-data APPSERVER pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5631 APPSERVER 5631 netmask 255.255.255.255 0 0
static (inside,outside) udp interface pcanywhere-status APPSERVER pcanywhere-status netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5632 APPSERVER 5632 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 65301 APPSERVER 65301 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 65301 APPSERVER 65301 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp ***pms smtp netmask 255.255.255.255 0 0
access-group letmein in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http x.x.x.244 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup ***-VPN-USERS idle-time 1800
telnet x.x.x.244 255.255.255.255 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh x.x.x.244 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh ***pms 255.255.255.255 inside
ssh owa*** 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname *****ron
vpdn group pppoex ppp authentication pap
vpdn username *****ron password *********
dhcpd address 192.168.1.22-192.168.1.129
dhcpd dns 205.152.0.5 216.4.122.1
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain *****ron.com
dhcpd auto_config outside
terminal width 80
Cryptochecksum:56d1e08be56
: end
I am not sure what has changed other than the reapplication of the rsa cert.
I should be able to connect via ssh.
PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 6ztx/UAvbLi8D0Sn encrypted
passwd 6ztx/UAvbLi8D0Sn encrypted
hostname pixfirewall
domain-name ****.net
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.100 Bigdog
name 192.168.1.3 ***PMS
name 192.168.1.5 OWA***
name 192.168.1.1 APPSERVER
object-group service pcANY tcp
description pcANYwhere
port-object range 65301 65301
port-object eq pcanywhere-data
port-object range pcanywhere-data 5632
object-group service TermServ tcp
description RDP
port-object range 3389 3399
access-list inside_access_in remark outbound
access-list inside_access_in permit tcp any any
access-list letmein remark inbound traffic
access-list letmein permit tcp any host x.x.x.194 eq smtp
access-list letmein permit tcp any host x.x.x.194 eq www
access-list letmein permit tcp any host x.x.x.194 eq https
access-list letmein permit tcp any host x.x.x.194 eq pop3
access-list letmein permit tcp any host x.x.x.194 eq imap4
access-list letmein permit tcp any host x.x.x.194 eq pcanywhere-data
access-list letmein permit tcp any host x.x.x.194 eq 3389
access-list letmein permit udp any host x.x.x.194 eq 3389
access-list letmein permit udp any host x.x.x.194 eq 65301
access-list letmein permit tcp any host x.x.x.194 eq 65301
access-list letmein permit udp any host x.x.x.194 eq 143
access-list letmein permit udp any host x.x.x.194 eq 220
access-list letmein permit tcp any host x.x.x.194 eq 220
access-list letmein permit tcp any host x.x.x.194 eq 585
access-list letmein permit udp any host x.x.x.194 eq 585
access-list letmein permit udp any host x.x.x.194 eq 993
access-list letmein permit tcp any host x.x.x.194 eq 993
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.20 255.255.255.0
ip verify reverse-path interface outside
ip audit name OutAttack attack action drop reset
ip audit interface outside OutAttack
ip audit info action alarm
ip audit attack action alarm
ip local pool ***-VPN-GROUP 192.168.1.200-192.168.1.25
pdm location Bigdog 255.255.255.255 inside
pdm location ***pms 255.255.255.255 inside
pdm location owa*** 255.255.255.255 inside
pdm location APPSERVER 255.255.255.255 inside
pdm location x.x.x.244 255.255.255.255 outside
pdm location x.x.x.244 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) udp interface 143 ***pms 143 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface imap4 ***pms imap4 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 ***pms pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www owa*** www netmask 255.255.255.255 0 0
static (inside,outside) udp interface 3389 owa*** 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 owa*** 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https owa*** https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pcanywhere-data APPSERVER pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5631 APPSERVER 5631 netmask 255.255.255.255 0 0
static (inside,outside) udp interface pcanywhere-status APPSERVER pcanywhere-status netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5632 APPSERVER 5632 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 65301 APPSERVER 65301 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 65301 APPSERVER 65301 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp ***pms smtp netmask 255.255.255.255 0 0
access-group letmein in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http x.x.x.244 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup ***-VPN-USERS idle-time 1800
telnet x.x.x.244 255.255.255.255 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh x.x.x.244 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh ***pms 255.255.255.255 inside
ssh owa*** 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname *****ron
vpdn group pppoex ppp authentication pap
vpdn username *****ron password *********
dhcpd address 192.168.1.22-192.168.1.129
dhcpd dns 205.152.0.5 216.4.122.1
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain *****ron.com
dhcpd auto_config outside
terminal width 80
Cryptochecksum:56d1e08be56
: end
try removing this line and see if it works:
>ip verify reverse-path interface outside
If not, disable IDS attack signature and try again
>ip audit interface outside OutAttack
>ip verify reverse-path interface outside
If not, disable IDS attack signature and try again
>ip audit interface outside OutAttack
ASKER
I removed both and still host not found.
I can ping the outside interface and can rdp into the network as well.
SSH version is 3.2.9.
Authentication is password.
using cipher list with only DES selected.
unsure why this will not work.
I can ping the outside interface and can rdp into the network as well.
SSH version is 3.2.9.
Authentication is password.
using cipher list with only DES selected.
unsure why this will not work.
ASKER
Well I've rulled out the client config. I dl'ed ssh client to a local server to the PIX and used the same settings as the client on the outside and was able to log right in.
But not from outside the PIX.
It's definitely something on the PIX.
But not from outside the PIX.
It's definitely something on the PIX.
Is everything else working on the pix? Can everyone on the inside get out OK?
You can try adding a line to the acl:
access-list letmein permit tcp any host x.x.x.194 eq 22
You can try adding a line to the acl:
access-list letmein permit tcp any host x.x.x.194 eq 22
Don't forget to un-apply then re-apply the acl to the interface for the change to take affect
no access-group letmein in interface outside
access-group letmein in interface outside
no access-group letmein in interface outside
access-group letmein in interface outside
ASKER
yes everything else works on the PIX.
I will unapply and then reapply and let you know.
I will unapply and then reapply and let you know.
ASKER
If I do this remotely, will i lose my connection?
I don't think so....how are you connected?
ASKER
i am connected via rdp which is part of the access group letmein.
wouldn't remove all of the access-list letmein entries?
wouldn't remove all of the access-list letmein entries?
No, it won't remove the actual access-list entries, it will just re-apply the entire list..
I went back and looked, and none of my PIX firewalls have an acl entry to permit SSH and I have no problems accessing any of them...
These are the only entries I have for ssh:
ssh 0.0.0.0 0.0.0.0 outside
ssh xx.xxx.xxx.197 255.255.255.255 outside
aaa authentication ssh console LOCAL
username lrmoore password <pw-hash> encrypted privilege 15
I went back and looked, and none of my PIX firewalls have an acl entry to permit SSH and I have no problems accessing any of them...
These are the only entries I have for ssh:
ssh 0.0.0.0 0.0.0.0 outside
ssh xx.xxx.xxx.197 255.255.255.255 outside
aaa authentication ssh console LOCAL
username lrmoore password <pw-hash> encrypted privilege 15
No, it won't remove the actual access-list entries, it will just re-apply the entire list..
I went back and looked, and none of my PIX firewalls have an acl entry to permit SSH and I have no problems accessing any of them...
These are the only entries I have for ssh:
ssh 0.0.0.0 0.0.0.0 outside
ssh xx.xxx.xxx.197 255.255.255.255 outside
aaa authentication ssh console LOCAL
username lrmoore password <pw-hash> encrypted privilege 15
I went back and looked, and none of my PIX firewalls have an acl entry to permit SSH and I have no problems accessing any of them...
These are the only entries I have for ssh:
ssh 0.0.0.0 0.0.0.0 outside
ssh xx.xxx.xxx.197 255.255.255.255 outside
aaa authentication ssh console LOCAL
username lrmoore password <pw-hash> encrypted privilege 15
sorry about the double-post...
ASKER
Thanks. So re-applying may solve all of this.
The only issue I have is that I am working remotely. When I do the 'no access-group letmein in interface outside', will I lose my remote connection via the RDP? If so, then I will need to do this in person.
Thanks.
The only issue I have is that I am working remotely. When I do the 'no access-group letmein in interface outside', will I lose my remote connection via the RDP? If so, then I will need to do this in person.
Thanks.
ASKER
Well I reapplied the access-list and still no connection. I am not sure at this point what it could be. I appreciate your help to this point.
Do you have any suggestions on where to go from here?
thanks and best regards,
Cepolly
Do you have any suggestions on where to go from here?
thanks and best regards,
Cepolly
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
what exactly does clear xlate do?
clear out connections?
clear out connections?
Yes, it clears all of the current nat translations. They will rebuild automatically, almost instantly, so nobody should lose their connections..
ASKER
Woot!!
The reset of the of the PIX worked.
I guess when all else fails, reboot the PIX.
Thanks for all the time spent lrmoore.
It's much appreciated.
Best regards,
Cepolly
The reset of the of the PIX worked.
I guess when all else fails, reboot the PIX.
Thanks for all the time spent lrmoore.
It's much appreciated.
Best regards,
Cepolly
Congrats!
Don't forget to come back and accept a comment and grade appropriately.
- Cheers!
Don't forget to come back and accept a comment and grade appropriately.
- Cheers!
ASKER
Already done and thanks again!
Suggest using local username/password
aaa authentication ssh console LOCAL
username lrmoore password <password> encrypted privilege 15
Now you can just use your own username/password.