?
Solved

Allow SSH and Deny Telnet to Cisco 501 PIX

Posted on 2007-04-04
6
Medium Priority
?
916 Views
Last Modified: 2007-12-19
I have a Cisco 501 Pix with a vpn tunnel to a 515 pix. I am trying to deny telnet access to the 501 for administrative purposes while still allowing telnet traffic to pass through the vpn tunnel. I would also like to turn on ssh for admin purposes to the 501. Current config follows:

ukpix# sho run              
: Saved      
:
PIX Version 6.2(2)                  
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password .XXXXX encrypted                                          
passwd .XXXXX encrypted                                
hostname ukpix              
domain-name .com                
no fixup protocol ftp 21                        
no fixup protocol http 80                        
no fixup protocol h323 h225 1720                                
no fixup protocol h323 ras 1718-1719                                    
no fixup protocol ils 389                        
no fixup protocol rsh 514                        
no fixup protocol rtsp 554                          
no fixup protocol smtp 25                        
no fixup protocol sqlnet 1521                            
no fixup protocol sip 5060                          
no fixup protocol skinny 2000                            
names    
access-list acl_out permit icmp any any unreachable                                                  
access-list acl_out permit icmp any any time-exceeded                                                    
access-list acl_out permit icmp any any echo-reply                                                  
access-list acl_in permit ip any any                                    
access-list 101 permit ip 192.168.7.0 255.255.255.0 192.168.10.0 255.255.255.0                                                                              
no pager        
logging on          
logging console errors                      
logging monitor warnings                        
interface ethernet0 10baset                          
interface ethernet1 10full                          
mtu outside 1500                
mtu inside 1500              
ip address outside 194.xxx.xxx.70 255.255.255.252                          
ip address inside 192.168.7.20 255.255.255.0                                            
ip audit info action alarm                          
ip audit attack action alarm                            
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
global (outside) 1 192.xxx.xxx.70                                
nat (inside) 0 access-list 101                              
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  
access-group acl_out in interface outside                                        
conduit permit tcp any any eq www                                
route outside 0.0.0.0 0.0.0.0 194.xxx.xxx.69 1                                              
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00                                                                            
p 0:30:00 sip_media 0:02:00                          
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server LOCAL protocol local                              
aaa-server authinbound protocol radius                                      
http server enable                  
http 192.168.1.0 255.255.255.0 inside                                    
http 192.168.10.165 255.255.255.255 inside                                          
no snmp-server location                      
no snmp-server contact                      
snmp-server community xxxxxxxxx                                
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
no sysopt route dnat
crypto ipsec transform-set strong-des esp-3des esp-sha-hmac                                                          
crypto ipsec transform-set myset esp-des esp-sha-hmac                                                                      
crypto map mymap 30 ipsec-isakmp
crypto map mymap 30 match address 101
crypto map mymap 30 set peer 63.xxx.xxx.1
crypto map mymap 30 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 63.xxx.xxx.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 15
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:35f6xxxxxxx
: end
ukpix#
0
Comment
Question by:amymtate
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 10

Accepted Solution

by:
Sorenson earned 2000 total points
ID: 18849954
First get SSH working:
If it hasn't been done already, you will need to generate an RSA key for the SSH sessions.
!
ca generate rsa key 1024
! once it completes
ca save all
! this will take a few seconds
! next define who can ssh
ssh 192.168.0.0 255.255.0.0 inside  
! will allow 192.168.x.x on inside interface to ssh
!
Download putty.exe and from a 192.168.x.x address on the inside of the pix attempt to ssh to the pix.  Unless you specify a username / password pair, the default username for ssh is:  pix     and the password is your telnet password.

Once ssh is establed, to prevent telnet to the pix enter:
!
no telnet 0.0.0.0 0.0.0.0 inside
no telnet 192.168.0.0 255.255.0.0 inside
!


0
 

Author Comment

by:amymtate
ID: 18850607
I'm getting an "ERROR: unknown option <rsa>"

in response to the ca generate rsa key 1024 command
sho ver shows:
Cisco PIX Firewall Version 6.2(2)                          
Cisco PIX Device Manager Version 2.1(1)
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18850672
That is strange.  The command goes back to 5.x.
what does the help say if you do
!
ca generate ?
!
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:amymtate
ID: 18850764
Usage:  capture <capture-name> [access-list <acl-name>] [buffer <buf-size>]
                [ethernet-type <type>] [interface <if-name>]
                [packet-length <bytes>]
        clear capture <capture-name>
        no capture <capture-name> [access-list] [interface <if-name>]
        show capture [<capture-name> [access-list <acl-name>] [count <number>]
                     [detail] [dump]]
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18850896
ok
you need to go into the configuration mode, after the enable mode

at the # prompt, type:   config t   (enter)

then enter the commands above.

0
 

Author Comment

by:amymtate
ID: 18851098
That worked.  thanks for the quick help!
0

Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question