Solved

Allow SSH and Deny Telnet to Cisco 501 PIX

Posted on 2007-04-04
6
880 Views
Last Modified: 2007-12-19
I have a Cisco 501 Pix with a vpn tunnel to a 515 pix. I am trying to deny telnet access to the 501 for administrative purposes while still allowing telnet traffic to pass through the vpn tunnel. I would also like to turn on ssh for admin purposes to the 501. Current config follows:

ukpix# sho run              
: Saved      
:
PIX Version 6.2(2)                  
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password .XXXXX encrypted                                          
passwd .XXXXX encrypted                                
hostname ukpix              
domain-name .com                
no fixup protocol ftp 21                        
no fixup protocol http 80                        
no fixup protocol h323 h225 1720                                
no fixup protocol h323 ras 1718-1719                                    
no fixup protocol ils 389                        
no fixup protocol rsh 514                        
no fixup protocol rtsp 554                          
no fixup protocol smtp 25                        
no fixup protocol sqlnet 1521                            
no fixup protocol sip 5060                          
no fixup protocol skinny 2000                            
names    
access-list acl_out permit icmp any any unreachable                                                  
access-list acl_out permit icmp any any time-exceeded                                                    
access-list acl_out permit icmp any any echo-reply                                                  
access-list acl_in permit ip any any                                    
access-list 101 permit ip 192.168.7.0 255.255.255.0 192.168.10.0 255.255.255.0                                                                              
no pager        
logging on          
logging console errors                      
logging monitor warnings                        
interface ethernet0 10baset                          
interface ethernet1 10full                          
mtu outside 1500                
mtu inside 1500              
ip address outside 194.xxx.xxx.70 255.255.255.252                          
ip address inside 192.168.7.20 255.255.255.0                                            
ip audit info action alarm                          
ip audit attack action alarm                            
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
global (outside) 1 192.xxx.xxx.70                                
nat (inside) 0 access-list 101                              
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  
access-group acl_out in interface outside                                        
conduit permit tcp any any eq www                                
route outside 0.0.0.0 0.0.0.0 194.xxx.xxx.69 1                                              
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00                                                                            
p 0:30:00 sip_media 0:02:00                          
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server LOCAL protocol local                              
aaa-server authinbound protocol radius                                      
http server enable                  
http 192.168.1.0 255.255.255.0 inside                                    
http 192.168.10.165 255.255.255.255 inside                                          
no snmp-server location                      
no snmp-server contact                      
snmp-server community xxxxxxxxx                                
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
no sysopt route dnat
crypto ipsec transform-set strong-des esp-3des esp-sha-hmac                                                          
crypto ipsec transform-set myset esp-des esp-sha-hmac                                                                      
crypto map mymap 30 ipsec-isakmp
crypto map mymap 30 match address 101
crypto map mymap 30 set peer 63.xxx.xxx.1
crypto map mymap 30 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 63.xxx.xxx.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 15
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:35f6xxxxxxx
: end
ukpix#
0
Comment
Question by:amymtate
  • 3
  • 3
6 Comments
 
LVL 10

Accepted Solution

by:
Sorenson earned 500 total points
Comment Utility
First get SSH working:
If it hasn't been done already, you will need to generate an RSA key for the SSH sessions.
!
ca generate rsa key 1024
! once it completes
ca save all
! this will take a few seconds
! next define who can ssh
ssh 192.168.0.0 255.255.0.0 inside  
! will allow 192.168.x.x on inside interface to ssh
!
Download putty.exe and from a 192.168.x.x address on the inside of the pix attempt to ssh to the pix.  Unless you specify a username / password pair, the default username for ssh is:  pix     and the password is your telnet password.

Once ssh is establed, to prevent telnet to the pix enter:
!
no telnet 0.0.0.0 0.0.0.0 inside
no telnet 192.168.0.0 255.255.0.0 inside
!


0
 

Author Comment

by:amymtate
Comment Utility
I'm getting an "ERROR: unknown option <rsa>"

in response to the ca generate rsa key 1024 command
sho ver shows:
Cisco PIX Firewall Version 6.2(2)                          
Cisco PIX Device Manager Version 2.1(1)
0
 
LVL 10

Expert Comment

by:Sorenson
Comment Utility
That is strange.  The command goes back to 5.x.
what does the help say if you do
!
ca generate ?
!
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:amymtate
Comment Utility
Usage:  capture <capture-name> [access-list <acl-name>] [buffer <buf-size>]
                [ethernet-type <type>] [interface <if-name>]
                [packet-length <bytes>]
        clear capture <capture-name>
        no capture <capture-name> [access-list] [interface <if-name>]
        show capture [<capture-name> [access-list <acl-name>] [count <number>]
                     [detail] [dump]]
0
 
LVL 10

Expert Comment

by:Sorenson
Comment Utility
ok
you need to go into the configuration mode, after the enable mode

at the # prompt, type:   config t   (enter)

then enter the commands above.

0
 

Author Comment

by:amymtate
Comment Utility
That worked.  thanks for the quick help!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now