Allow SSH and Deny Telnet to Cisco 501 PIX

Posted on 2007-04-04
Last Modified: 2007-12-19
I have a Cisco 501 Pix with a vpn tunnel to a 515 pix. I am trying to deny telnet access to the 501 for administrative purposes while still allowing telnet traffic to pass through the vpn tunnel. I would also like to turn on ssh for admin purposes to the 501. Current config follows:

ukpix# sho run              
: Saved      
PIX Version 6.2(2)                  
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password .XXXXX encrypted                                          
passwd .XXXXX encrypted                                
hostname ukpix              
domain-name .com                
no fixup protocol ftp 21                        
no fixup protocol http 80                        
no fixup protocol h323 h225 1720                                
no fixup protocol h323 ras 1718-1719                                    
no fixup protocol ils 389                        
no fixup protocol rsh 514                        
no fixup protocol rtsp 554                          
no fixup protocol smtp 25                        
no fixup protocol sqlnet 1521                            
no fixup protocol sip 5060                          
no fixup protocol skinny 2000                            
access-list acl_out permit icmp any any unreachable                                                  
access-list acl_out permit icmp any any time-exceeded                                                    
access-list acl_out permit icmp any any echo-reply                                                  
access-list acl_in permit ip any any                                    
access-list 101 permit ip                                                                              
no pager        
logging on          
logging console errors                      
logging monitor warnings                        
interface ethernet0 10baset                          
interface ethernet1 10full                          
mtu outside 1500                
mtu inside 1500              
ip address outside                          
ip address inside                                            
ip audit info action alarm                          
ip audit attack action alarm                            
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
global (outside) 1                                
nat (inside) 0 access-list 101                              
nat (inside) 1 0 0                                  
access-group acl_out in interface outside                                        
conduit permit tcp any any eq www                                
route outside 1                                              
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00                                                                            
p 0:30:00 sip_media 0:02:00                          
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server LOCAL protocol local                              
aaa-server authinbound protocol radius                                      
http server enable                  
http inside                                    
http inside                                          
no snmp-server location                      
no snmp-server contact                      
snmp-server community xxxxxxxxx                                
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
no sysopt route dnat
crypto ipsec transform-set strong-des esp-3des esp-sha-hmac                                                          
crypto ipsec transform-set myset esp-des esp-sha-hmac                                                                      
crypto map mymap 30 ipsec-isakmp
crypto map mymap 30 match address 101
crypto map mymap 30 set peer
crypto map mymap 30 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp identity address
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 1000
telnet inside
telnet inside
telnet timeout 15
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
: end
Question by:amymtate
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 10

Accepted Solution

Sorenson earned 500 total points
ID: 18849954
First get SSH working:
If it hasn't been done already, you will need to generate an RSA key for the SSH sessions.
ca generate rsa key 1024
! once it completes
ca save all
! this will take a few seconds
! next define who can ssh
ssh inside  
! will allow 192.168.x.x on inside interface to ssh
Download putty.exe and from a 192.168.x.x address on the inside of the pix attempt to ssh to the pix.  Unless you specify a username / password pair, the default username for ssh is:  pix     and the password is your telnet password.

Once ssh is establed, to prevent telnet to the pix enter:
no telnet inside
no telnet inside


Author Comment

ID: 18850607
I'm getting an "ERROR: unknown option <rsa>"

in response to the ca generate rsa key 1024 command
sho ver shows:
Cisco PIX Firewall Version 6.2(2)                          
Cisco PIX Device Manager Version 2.1(1)
LVL 10

Expert Comment

ID: 18850672
That is strange.  The command goes back to 5.x.
what does the help say if you do
ca generate ?
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 18850764
Usage:  capture <capture-name> [access-list <acl-name>] [buffer <buf-size>]
                [ethernet-type <type>] [interface <if-name>]
                [packet-length <bytes>]
        clear capture <capture-name>
        no capture <capture-name> [access-list] [interface <if-name>]
        show capture [<capture-name> [access-list <acl-name>] [count <number>]
                     [detail] [dump]]
LVL 10

Expert Comment

ID: 18850896
you need to go into the configuration mode, after the enable mode

at the # prompt, type:   config t   (enter)

then enter the commands above.


Author Comment

ID: 18851098
That worked.  thanks for the quick help!

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question