Allow SSH and Deny Telnet to Cisco 501 PIX

I have a Cisco 501 Pix with a vpn tunnel to a 515 pix. I am trying to deny telnet access to the 501 for administrative purposes while still allowing telnet traffic to pass through the vpn tunnel. I would also like to turn on ssh for admin purposes to the 501. Current config follows:

ukpix# sho run              
: Saved      
PIX Version 6.2(2)                  
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password .XXXXX encrypted                                          
passwd .XXXXX encrypted                                
hostname ukpix              
domain-name .com                
no fixup protocol ftp 21                        
no fixup protocol http 80                        
no fixup protocol h323 h225 1720                                
no fixup protocol h323 ras 1718-1719                                    
no fixup protocol ils 389                        
no fixup protocol rsh 514                        
no fixup protocol rtsp 554                          
no fixup protocol smtp 25                        
no fixup protocol sqlnet 1521                            
no fixup protocol sip 5060                          
no fixup protocol skinny 2000                            
access-list acl_out permit icmp any any unreachable                                                  
access-list acl_out permit icmp any any time-exceeded                                                    
access-list acl_out permit icmp any any echo-reply                                                  
access-list acl_in permit ip any any                                    
access-list 101 permit ip                                                                              
no pager        
logging on          
logging console errors                      
logging monitor warnings                        
interface ethernet0 10baset                          
interface ethernet1 10full                          
mtu outside 1500                
mtu inside 1500              
ip address outside                          
ip address inside                                            
ip audit info action alarm                          
ip audit attack action alarm                            
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
global (outside) 1                                
nat (inside) 0 access-list 101                              
nat (inside) 1 0 0                                  
access-group acl_out in interface outside                                        
conduit permit tcp any any eq www                                
route outside 1                                              
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00                                                                            
p 0:30:00 sip_media 0:02:00                          
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server LOCAL protocol local                              
aaa-server authinbound protocol radius                                      
http server enable                  
http inside                                    
http inside                                          
no snmp-server location                      
no snmp-server contact                      
snmp-server community xxxxxxxxx                                
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
no sysopt route dnat
crypto ipsec transform-set strong-des esp-3des esp-sha-hmac                                                          
crypto ipsec transform-set myset esp-des esp-sha-hmac                                                                      
crypto map mymap 30 ipsec-isakmp
crypto map mymap 30 match address 101
crypto map mymap 30 set peer
crypto map mymap 30 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp identity address
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 1000
telnet inside
telnet inside
telnet timeout 15
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
: end
Who is Participating?
SorensonConnect With a Mentor Commented:
First get SSH working:
If it hasn't been done already, you will need to generate an RSA key for the SSH sessions.
ca generate rsa key 1024
! once it completes
ca save all
! this will take a few seconds
! next define who can ssh
ssh inside  
! will allow 192.168.x.x on inside interface to ssh
Download putty.exe and from a 192.168.x.x address on the inside of the pix attempt to ssh to the pix.  Unless you specify a username / password pair, the default username for ssh is:  pix     and the password is your telnet password.

Once ssh is establed, to prevent telnet to the pix enter:
no telnet inside
no telnet inside

amymtateAuthor Commented:
I'm getting an "ERROR: unknown option <rsa>"

in response to the ca generate rsa key 1024 command
sho ver shows:
Cisco PIX Firewall Version 6.2(2)                          
Cisco PIX Device Manager Version 2.1(1)
That is strange.  The command goes back to 5.x.
what does the help say if you do
ca generate ?
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

amymtateAuthor Commented:
Usage:  capture <capture-name> [access-list <acl-name>] [buffer <buf-size>]
                [ethernet-type <type>] [interface <if-name>]
                [packet-length <bytes>]
        clear capture <capture-name>
        no capture <capture-name> [access-list] [interface <if-name>]
        show capture [<capture-name> [access-list <acl-name>] [count <number>]
                     [detail] [dump]]
you need to go into the configuration mode, after the enable mode

at the # prompt, type:   config t   (enter)

then enter the commands above.

amymtateAuthor Commented:
That worked.  thanks for the quick help!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.