PIX SSH
I am having an issue with Cisco PIX and consistency in SSH. I have multiple 506E remote sites and a HQ 515E PIX. I support them from home at sometimes. I recently added a statement to all to allow SSH access.
ssh myip mysubnet outside
The HQ and a remote work, but one remote does not let me connect.
putty log excerpts below.
--------------------------
Event Log: Writing new session log (SSH packets mode) to file: putty.log
Event Log: Looking up host "XX.XX.XX.XX"
Event Log: Connecting to XX.XX.XX.XX port 22
Event Log: Server version: SSH-1.5-Cisco-1.25
Event Log: We believe remote version has SSH1 ignore bug
Event Log: We believe remote version needs a plain SSH1 password
Event Log: We believe remote version can't handle RSA authentication
Event Log: We claim version: SSH-1.5-PuTTY-Release-0.53
Event Log: Using SSH protocol version 1
Incoming packet type 2 / 0x02 (SSH1_SMSG_PUBLIC_KEY)
Steve
ssh myip mysubnet outside
The HQ and a remote work, but one remote does not let me connect.
putty log excerpts below.
--------------------------
Event Log: Writing new session log (SSH packets mode) to file: putty.log
Event Log: Looking up host "XX.XX.XX.XX"
Event Log: Connecting to XX.XX.XX.XX port 22
Event Log: Server version: SSH-1.5-Cisco-1.25
Event Log: We believe remote version has SSH1 ignore bug
Event Log: We believe remote version needs a plain SSH1 password
Event Log: We believe remote version can't handle RSA authentication
Event Log: We claim version: SSH-1.5-PuTTY-Release-0.53
Event Log: Using SSH protocol version 1
Incoming packet type 2 / 0x02 (SSH1_SMSG_PUBLIC_KEY)
Steve
ASKER
I updated it last week to newest build and added statement today. It looks like DES is enabled. See SH VER below.
Cisco PIX Firewall Version 6.3(3)124
Cisco PIX Device Manager Version 3.0(1)
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 10
Throughput: Unlimited
IKE peers: 10
This PIX has a Restricted (R) license.
Cisco PIX Firewall Version 6.3(3)124
Cisco PIX Device Manager Version 3.0(1)
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 10
Throughput: Unlimited
IKE peers: 10
This PIX has a Restricted (R) license.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I don't have logging enabled at remote properties. Any particular level you'd recommend?
Steve
Steve
ASKER
710001: TCP access requested from 88.88.88.88/2332 to outside:24.24.24.24/ss
h
710002: TCP access permitted from 88.88.88.88/2332 to outside:24.24.24.24/ss
h
315004: Fail to establish SSH session because PIX RSA host key retrieval failed.
315011: SSH session from 0.0.0.0 on interface outside for user "" disconnected b
y SSH server, reason: "Internal error" (0x00)
305012: Teardown dynamic TCP translation from inside:10.10.10.61/4757 to outside:
24.24.24.24/21164 duration 0:00:31
302014: Teardown TCP connection 28957 for outside:66.151.115.160/820
10.10.10.61/4761 duration 0:00:13 bytes 210 TCP FINs
305011: Built dynamic TCP translation from inside:10.10.10.61/4763 to outside:24.
153.243.114/21170
h
710002: TCP access permitted from 88.88.88.88/2332 to outside:24.24.24.24/ss
h
315004: Fail to establish SSH session because PIX RSA host key retrieval failed.
315011: SSH session from 0.0.0.0 on interface outside for user "" disconnected b
y SSH server, reason: "Internal error" (0x00)
305012: Teardown dynamic TCP translation from inside:10.10.10.61/4757 to outside:
24.24.24.24/21164 duration 0:00:31
302014: Teardown TCP connection 28957 for outside:66.151.115.160/820
10.10.10.61/4761 duration 0:00:13 bytes 210 TCP FINs
305011: Built dynamic TCP translation from inside:10.10.10.61/4763 to outside:24.
153.243.114/21170
ASKER
OK. I got it. Need to generate RSA keys for them to connect via SSH.
Thanks! Glad you're working.
Good stuff in the logs. I never leave home without..
Good stuff in the logs. I never leave home without..
ASKER
Do you kind of have a standard logging recommendation.
Steve
Steve
logging on
logging timestamp <-- also setup NTP to get accurate timestamps
logging buffered debugging
logging trap errors
logging history warnings
logging host inside <host IP>
logging host inside <alternate host IP>
no logging message 106011
no logging message 313001
If I need it during troubleshooting only:
logging monitor debugging
logging timestamp <-- also setup NTP to get accurate timestamps
logging buffered debugging
logging trap errors
logging history warnings
logging host inside <host IP>
logging host inside <alternate host IP>
no logging message 106011
no logging message 313001
If I need it during troubleshooting only:
logging monitor debugging
ASKER
Cool. Thanks again for your help.
try this command
pix(config)#ca generate rsa key 1024
pix(config)#wr mem
sud work ............
pix(config)#ca generate rsa key 1024
pix(config)#wr mem
sud work ............
View from "show ver"
What version OS?