Solved

PIX 501, SSH, PuTTy and Username

Posted on 2003-11-02
33
19,078 Views
Last Modified: 2013-11-16
I set up SSH on a PIX 501 using the below config. However when i try to connect to PIX via SSH, SSH asks for a username and password. I don't have a username for the SSH. I only setup a password. If I need to set up an SSH username in PIX's SSH config, how would I? Though I don't think I have to.

Do I need a password? And if not, why do I continue to get the 'access denied'?
Also, do I need a specific port opened to get to the PIX via SSH from the outside?

Thanks in advance.
Cepolly

hostname myfirewall
domain-name mydomain.mytld
ca gen rsa key 1024
ssh x.x.x.x 255.255.255.255 inside
0.0.0.0 0.0.0.0 outside
ssh timeout 60
passwd YourPasswordGoesHere
ca save all
0
Comment
Question by:cepolly
  • 16
  • 16
33 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 9670524
Try username blank, or username pix
Suggest using local username/password

aaa authentication ssh console LOCAL
username lrmoore password <password> encrypted privilege 15

Now you can just use your own username/password.
0
 
LVL 2

Expert Comment

by:TomCRiley
ID: 9670573
the default username is "pix"
0
 
LVL 1

Author Comment

by:cepolly
ID: 9670862
pix does work as the username. Thanks.

I applied this line below:

ssh 0.0.0.0 0.0.0.0 outside

However, I cannot connect from the outside.
Do I need to allow ssh through as part of my access-list?

Thanks,
Cepolly
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9670887
No, you don't need to add ssh to the access-list on the PIX. Do you have an external router that also has an access-list? If yes, then of course that needs to be modified..
Do you get any error message?
Can you connect to it from the inside with PUtty?
How are you setting up Putty? Are you using the correct encrytion? Do you have encryption enabled on the PIX? Use "show ver" and see if DES and/or 3DES is enabled. Setup your putty client appropriately.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9670909
Did you setup your client to use SSH1 vs SSH2?
0
 
LVL 1

Author Comment

by:cepolly
ID: 9670928
ssh1
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9670953
Have you tried a different SSH client? I use SecureShell from http://www.ssh.com
It's free for personal use..
0
 
LVL 1

Author Comment

by:cepolly
ID: 9670970
I didn't think I needed to set ut up via an access-list as I was at one point able to get the login prompt.

Yes I can connect from the inside.

Using SSH1

error is just a timeout.

DES is enabled.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9671360
>I was at one point able to get the login prompt
But now you can't?
What changed? Can you reverse any changes and get it back?
0
 
LVL 1

Author Comment

by:cepolly
ID: 9671416
I installed the SSH client from SSH.com. Very nice client.

I get a host unreachable when trying to connect.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9671552
Can you ping the outside interface of the PIX?
Try a traceroute from where you are to the PIX..
Can you https to the PIX to get the web PDM interface?
 you would have to add:
  http 0.0.0.0 0.0.0.0 outside
Then be sure to remove that as soon as you've completed testing, else lock it down to specific IP addresses.
Are you trying from behind another firewall, or on direct broadband/dialup connection?
0
 
LVL 1

Author Comment

by:cepolly
ID: 9671717
I already have https set up on a webserver which has a redirect from http to https for that IP.

The IP for the web server and the outside interface are the same.

I'm not sure how I would get PDM working this way.
0
 
LVL 1

Author Comment

by:cepolly
ID: 9671802
Here is the full config.

I am not sure what has changed other than the reapplication of the rsa cert.
I should be able to connect via ssh.


PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 6ztx/UAvbLi8D0Sn encrypted
passwd 6ztx/UAvbLi8D0Sn encrypted
hostname pixfirewall
domain-name ****.net
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.100 Bigdog
name 192.168.1.3 ***PMS
name 192.168.1.5 OWA***
name 192.168.1.1 APPSERVER
object-group service pcANY tcp
  description pcANYwhere
  port-object range 65301 65301
  port-object eq pcanywhere-data
  port-object range pcanywhere-data 5632
object-group service TermServ tcp
  description RDP
  port-object range 3389 3399
access-list inside_access_in remark outbound
access-list inside_access_in permit tcp any any
access-list letmein remark inbound traffic
access-list letmein permit tcp any host x.x.x.194 eq smtp
access-list letmein permit tcp any host x.x.x.194 eq www
access-list letmein permit tcp any host x.x.x.194 eq https
access-list letmein permit tcp any host x.x.x.194 eq pop3
access-list letmein permit tcp any host x.x.x.194 eq imap4
access-list letmein permit tcp any host x.x.x.194 eq pcanywhere-data
access-list letmein permit tcp any host x.x.x.194 eq 3389
access-list letmein permit udp any host x.x.x.194 eq 3389
access-list letmein permit udp any host x.x.x.194 eq 65301
access-list letmein permit tcp any host x.x.x.194 eq 65301
access-list letmein permit udp any host x.x.x.194 eq 143
access-list letmein permit udp any host x.x.x.194 eq 220
access-list letmein permit tcp any host x.x.x.194 eq 220
access-list letmein permit tcp any host x.x.x.194 eq 585
access-list letmein permit udp any host x.x.x.194 eq 585
access-list letmein permit udp any host x.x.x.194 eq 993
access-list letmein permit tcp any host x.x.x.194 eq 993
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.20 255.255.255.0
ip verify reverse-path interface outside
ip audit name OutAttack attack action drop reset
ip audit interface outside OutAttack
ip audit info action alarm
ip audit attack action alarm
ip local pool ***-VPN-GROUP 192.168.1.200-192.168.1.250
pdm location Bigdog 255.255.255.255 inside
pdm location ***pms 255.255.255.255 inside
pdm location owa*** 255.255.255.255 inside
pdm location APPSERVER 255.255.255.255 inside
pdm location x.x.x.244 255.255.255.255 outside
pdm location x.x.x.244 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) udp interface 143 ***pms 143 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface imap4 ***pms imap4 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 ***pms pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www owa*** www netmask 255.255.255.255 0 0
static (inside,outside) udp interface 3389 owa*** 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 owa*** 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https owa*** https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pcanywhere-data APPSERVER pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5631 APPSERVER 5631 netmask 255.255.255.255 0 0
static (inside,outside) udp interface pcanywhere-status APPSERVER pcanywhere-status netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5632 APPSERVER 5632 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 65301 APPSERVER 65301 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 65301 APPSERVER 65301 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp ***pms smtp netmask 255.255.255.255 0 0
access-group letmein in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http x.x.x.244 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup ***-VPN-USERS idle-time 1800
telnet x.x.x.244 255.255.255.255 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh x.x.x.244 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh ***pms 255.255.255.255 inside
ssh owa*** 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname *****ron
vpdn group pppoex ppp authentication pap
vpdn username *****ron password *********
dhcpd address 192.168.1.22-192.168.1.129 inside
dhcpd dns 205.152.0.5 216.4.122.1
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain *****ron.com
dhcpd auto_config outside
terminal width 80
Cryptochecksum:56d1e08be56437d89682a3d0483838c6
: end
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9672012
try removing this line and see if it works:
>ip verify reverse-path interface outside

If not, disable IDS attack signature and try again
>ip audit interface outside OutAttack
0
 
LVL 1

Author Comment

by:cepolly
ID: 9672131
I removed both and still host not found.

I can ping the outside interface and can rdp into the network as well.

SSH version is 3.2.9.
Authentication is password.
using cipher list with only DES selected.

unsure why this will not work.
0
 
LVL 1

Author Comment

by:cepolly
ID: 9673006
Well I've rulled out the client config. I dl'ed ssh client to a local server to the PIX and used the same settings as the client on the outside and was able to log right in.

But not from outside the PIX.

It's definitely something on the PIX.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 79

Expert Comment

by:lrmoore
ID: 9674167
Is everything else working on the pix? Can everyone on the inside get out OK?

You can try adding a line to the acl:

access-list letmein permit tcp any host x.x.x.194 eq 22

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9674173
Don't forget to un-apply then re-apply the acl to the interface for the change to take affect

no access-group letmein in interface outside
access-group letmein in interface outside
0
 
LVL 1

Author Comment

by:cepolly
ID: 9674539
yes everything else works on the PIX.

I will unapply and then reapply and let you know.
0
 
LVL 1

Author Comment

by:cepolly
ID: 9674566
If I do this remotely, will i lose my connection?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9674614
I don't think so....how are you connected?
0
 
LVL 1

Author Comment

by:cepolly
ID: 9674647
i am connected via rdp which is part of the access group letmein.

wouldn't remove all of the access-list letmein entries?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9675080
No, it won't remove the actual access-list entries, it will just re-apply the entire list..

I went back and looked, and none of my PIX firewalls have an acl entry to permit SSH and I have no problems accessing any of them...
These are the only entries I have for ssh:

ssh 0.0.0.0 0.0.0.0 outside
ssh xx.xxx.xxx.197 255.255.255.255 outside
aaa authentication ssh console LOCAL
username lrmoore password <pw-hash> encrypted privilege 15



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9675085
No, it won't remove the actual access-list entries, it will just re-apply the entire list..

I went back and looked, and none of my PIX firewalls have an acl entry to permit SSH and I have no problems accessing any of them...
These are the only entries I have for ssh:

ssh 0.0.0.0 0.0.0.0 outside
ssh xx.xxx.xxx.197 255.255.255.255 outside
aaa authentication ssh console LOCAL
username lrmoore password <pw-hash> encrypted privilege 15



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9675086
sorry about the double-post...
0
 
LVL 1

Author Comment

by:cepolly
ID: 9675768
Thanks. So re-applying may solve all of this.

The only issue I have is that I am working remotely. When I do the 'no access-group letmein in interface outside', will I lose my remote connection via the RDP? If so, then I will need to do this in person.

Thanks.
0
 
LVL 1

Author Comment

by:cepolly
ID: 9678768
Well I reapplied the access-list and still no connection. I am not sure at this point what it could be. I appreciate your help to this point.

Do you have any suggestions on where to go from here?

thanks and best regards,
Cepolly
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 9678956
Hate to say it, but perhaps rebooting the PIX might help.
You might also try "clear xlate" first.
It may have something to do with all the static port translations...but that's just a guess.
0
 
LVL 1

Author Comment

by:cepolly
ID: 9679028
what exactly does clear xlate do?

clear out connections?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9679084
Yes, it clears all of the current nat translations. They will rebuild automatically, almost instantly, so nobody should lose their connections..
0
 
LVL 1

Author Comment

by:cepolly
ID: 9679831
Woot!!

The reset of the of the PIX worked.
I guess when all else fails, reboot the PIX.

Thanks for all the time spent lrmoore.

It's much appreciated.

Best regards,
Cepolly
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9679905
Congrats!
Don't forget to come back and accept a comment and grade appropriately.

- Cheers!
0
 
LVL 1

Author Comment

by:cepolly
ID: 9679976
Already done and thanks again!
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now