Solved

PIX SSH

Posted on 2004-04-07
11
3,338 Views
Last Modified: 2013-11-16
I am having an issue with Cisco PIX and consistency in SSH.  I have multiple 506E remote sites and a HQ 515E PIX.  I support them from home at sometimes.  I recently added a statement to all to allow SSH access.

ssh myip mysubnet outside

The HQ and a remote work, but one remote does not let me connect.

putty log excerpts below.
-------------------------------
Event Log: Writing new session log (SSH packets mode) to file: putty.log
Event Log: Looking up host "XX.XX.XX.XX"
Event Log: Connecting to XX.XX.XX.XX port 22
Event Log: Server version: SSH-1.5-Cisco-1.25
Event Log: We believe remote version has SSH1 ignore bug
Event Log: We believe remote version needs a plain SSH1 password
Event Log: We believe remote version can't handle RSA authentication
Event Log: We claim version: SSH-1.5-PuTTY-Release-0.53b
Event Log: Using SSH protocol version 1
Incoming packet type 2 / 0x02 (SSH1_SMSG_PUBLIC_KEY)

Steve
0
Comment
Question by:smeek
  • 6
  • 4
11 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10776228
Does that particular PIX have DES enabled?

View from "show ver"

What version OS?
0
 
LVL 8

Author Comment

by:smeek
ID: 10776294
I updated it last week to newest build and added statement today.  It looks like DES is enabled.  See SH VER below.

Cisco PIX Firewall Version 6.3(3)124
Cisco PIX Device Manager Version 3.0(1)

Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          2
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                10
Throughput:                  Unlimited
IKE peers:                   10

This PIX has a Restricted (R) license.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 10776319
Hmmmm.....
Any log entries from the PIX side?
0
 
LVL 8

Author Comment

by:smeek
ID: 10776508
I don't have logging enabled at remote properties.  Any particular level you'd recommend?

Steve
0
 
LVL 8

Author Comment

by:smeek
ID: 10776730
710001: TCP access requested from 88.88.88.88/2332 to outside:24.24.24.24/ss
h
710002: TCP access permitted from 88.88.88.88/2332 to outside:24.24.24.24/ss
h
315004: Fail to establish SSH session because PIX RSA host key retrieval failed.
315011: SSH session from 0.0.0.0 on interface outside for user "" disconnected b
y SSH server, reason: "Internal error" (0x00)
305012: Teardown dynamic TCP translation from inside:10.10.10.61/4757 to outside:
24.24.24.24/21164 duration 0:00:31
302014: Teardown TCP connection 28957 for outside:66.151.115.160/8200 to inside:
10.10.10.61/4761 duration 0:00:13 bytes 210 TCP FINs
305011: Built dynamic TCP translation from inside:10.10.10.61/4763 to outside:24.
153.243.114/21170
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 8

Author Comment

by:smeek
ID: 10776823
OK.  I got it.  Need to generate RSA keys for them to connect via SSH.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10777343
Thanks! Glad you're working.
Good stuff in the logs. I never leave home without..
0
 
LVL 8

Author Comment

by:smeek
ID: 10777396
Do you kind of have a standard logging recommendation.

Steve
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10777445
logging on
logging timestamp <-- also setup NTP to get accurate timestamps
logging buffered debugging
logging trap errors
logging history warnings
logging host inside <host IP>
logging host inside <alternate host IP>
no logging message 106011
no logging message 313001

If I need it during troubleshooting only:
logging monitor debugging


0
 
LVL 8

Author Comment

by:smeek
ID: 10777494
Cool.  Thanks again for your help.
0
 
LVL 1

Expert Comment

by:ambarishsen
ID: 10806039
try this command

pix(config)#ca generate rsa key 1024
pix(config)#wr mem


sud work ............
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco 2960 PACL 9 95
VMware vCloud Director - Automatic SNAT Creation 2 40
ASE reports it as spam 2 125
Setup NAT/PAT question 3 42
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now