Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Allow SSH and Deny Telnet to Cisco 501 PIX

Posted on 2007-04-04
6
Medium Priority
?
920 Views
Last Modified: 2007-12-19
I have a Cisco 501 Pix with a vpn tunnel to a 515 pix. I am trying to deny telnet access to the 501 for administrative purposes while still allowing telnet traffic to pass through the vpn tunnel. I would also like to turn on ssh for admin purposes to the 501. Current config follows:

ukpix# sho run              
: Saved      
:
PIX Version 6.2(2)                  
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password .XXXXX encrypted                                          
passwd .XXXXX encrypted                                
hostname ukpix              
domain-name .com                
no fixup protocol ftp 21                        
no fixup protocol http 80                        
no fixup protocol h323 h225 1720                                
no fixup protocol h323 ras 1718-1719                                    
no fixup protocol ils 389                        
no fixup protocol rsh 514                        
no fixup protocol rtsp 554                          
no fixup protocol smtp 25                        
no fixup protocol sqlnet 1521                            
no fixup protocol sip 5060                          
no fixup protocol skinny 2000                            
names    
access-list acl_out permit icmp any any unreachable                                                  
access-list acl_out permit icmp any any time-exceeded                                                    
access-list acl_out permit icmp any any echo-reply                                                  
access-list acl_in permit ip any any                                    
access-list 101 permit ip 192.168.7.0 255.255.255.0 192.168.10.0 255.255.255.0                                                                              
no pager        
logging on          
logging console errors                      
logging monitor warnings                        
interface ethernet0 10baset                          
interface ethernet1 10full                          
mtu outside 1500                
mtu inside 1500              
ip address outside 194.xxx.xxx.70 255.255.255.252                          
ip address inside 192.168.7.20 255.255.255.0                                            
ip audit info action alarm                          
ip audit attack action alarm                            
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
global (outside) 1 192.xxx.xxx.70                                
nat (inside) 0 access-list 101                              
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  
access-group acl_out in interface outside                                        
conduit permit tcp any any eq www                                
route outside 0.0.0.0 0.0.0.0 194.xxx.xxx.69 1                                              
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00                                                                            
p 0:30:00 sip_media 0:02:00                          
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server LOCAL protocol local                              
aaa-server authinbound protocol radius                                      
http server enable                  
http 192.168.1.0 255.255.255.0 inside                                    
http 192.168.10.165 255.255.255.255 inside                                          
no snmp-server location                      
no snmp-server contact                      
snmp-server community xxxxxxxxx                                
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
no sysopt route dnat
crypto ipsec transform-set strong-des esp-3des esp-sha-hmac                                                          
crypto ipsec transform-set myset esp-des esp-sha-hmac                                                                      
crypto map mymap 30 ipsec-isakmp
crypto map mymap 30 match address 101
crypto map mymap 30 set peer 63.xxx.xxx.1
crypto map mymap 30 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 63.xxx.xxx.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 15
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:35f6xxxxxxx
: end
ukpix#
0
Comment
Question by:amymtate
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 10

Accepted Solution

by:
Sorenson earned 2000 total points
ID: 18849954
First get SSH working:
If it hasn't been done already, you will need to generate an RSA key for the SSH sessions.
!
ca generate rsa key 1024
! once it completes
ca save all
! this will take a few seconds
! next define who can ssh
ssh 192.168.0.0 255.255.0.0 inside  
! will allow 192.168.x.x on inside interface to ssh
!
Download putty.exe and from a 192.168.x.x address on the inside of the pix attempt to ssh to the pix.  Unless you specify a username / password pair, the default username for ssh is:  pix     and the password is your telnet password.

Once ssh is establed, to prevent telnet to the pix enter:
!
no telnet 0.0.0.0 0.0.0.0 inside
no telnet 192.168.0.0 255.255.0.0 inside
!


0
 

Author Comment

by:amymtate
ID: 18850607
I'm getting an "ERROR: unknown option <rsa>"

in response to the ca generate rsa key 1024 command
sho ver shows:
Cisco PIX Firewall Version 6.2(2)                          
Cisco PIX Device Manager Version 2.1(1)
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18850672
That is strange.  The command goes back to 5.x.
what does the help say if you do
!
ca generate ?
!
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:amymtate
ID: 18850764
Usage:  capture <capture-name> [access-list <acl-name>] [buffer <buf-size>]
                [ethernet-type <type>] [interface <if-name>]
                [packet-length <bytes>]
        clear capture <capture-name>
        no capture <capture-name> [access-list] [interface <if-name>]
        show capture [<capture-name> [access-list <acl-name>] [count <number>]
                     [detail] [dump]]
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18850896
ok
you need to go into the configuration mode, after the enable mode

at the # prompt, type:   config t   (enter)

then enter the commands above.

0
 

Author Comment

by:amymtate
ID: 18851098
That worked.  thanks for the quick help!
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question