amymtate
asked on
Allow SSH and Deny Telnet to Cisco 501 PIX
I have a Cisco 501 Pix with a vpn tunnel to a 515 pix. I am trying to deny telnet access to the 501 for administrative purposes while still allowing telnet traffic to pass through the vpn tunnel. I would also like to turn on ssh for admin purposes to the 501. Current config follows:
ukpix# sho run
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password .XXXXX encrypted
passwd .XXXXX encrypted
hostname ukpix
domain-name .com
no fixup protocol ftp 21
no fixup protocol http 80
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
no fixup protocol ils 389
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol sip 5060
no fixup protocol skinny 2000
names
access-list acl_out permit icmp any any unreachable
access-list acl_out permit icmp any any time-exceeded
access-list acl_out permit icmp any any echo-reply
access-list acl_in permit ip any any
access-list 101 permit ip 192.168.7.0 255.255.255.0 192.168.10.0 255.255.255.0
no pager
logging on
logging console errors
logging monitor warnings
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 194.xxx.xxx.70 255.255.255.252
ip address inside 192.168.7.20 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 192.xxx.xxx.70
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
conduit permit tcp any any eq www
route outside 0.0.0.0 0.0.0.0 194.xxx.xxx.69 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server authinbound protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.10.165 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community xxxxxxxxx
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set strong-des esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map mymap 30 ipsec-isakmp
crypto map mymap 30 match address 101
crypto map mymap 30 set peer 63.xxx.xxx.1
crypto map mymap 30 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 63.xxx.xxx.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 15
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:35f6xxxxxxx
: end
ukpix#
ukpix# sho run
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password .XXXXX encrypted
passwd .XXXXX encrypted
hostname ukpix
domain-name .com
no fixup protocol ftp 21
no fixup protocol http 80
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
no fixup protocol ils 389
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol sip 5060
no fixup protocol skinny 2000
names
access-list acl_out permit icmp any any unreachable
access-list acl_out permit icmp any any time-exceeded
access-list acl_out permit icmp any any echo-reply
access-list acl_in permit ip any any
access-list 101 permit ip 192.168.7.0 255.255.255.0 192.168.10.0 255.255.255.0
no pager
logging on
logging console errors
logging monitor warnings
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 194.xxx.xxx.70 255.255.255.252
ip address inside 192.168.7.20 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 192.xxx.xxx.70
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
conduit permit tcp any any eq www
route outside 0.0.0.0 0.0.0.0 194.xxx.xxx.69 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server authinbound protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.10.165 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community xxxxxxxxx
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set strong-des esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map mymap 30 ipsec-isakmp
crypto map mymap 30 match address 101
crypto map mymap 30 set peer 63.xxx.xxx.1
crypto map mymap 30 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 63.xxx.xxx.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 15
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:35f6xxxxxxx
: end
ukpix#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That is strange. The command goes back to 5.x.
what does the help say if you do
!
ca generate ?
!
what does the help say if you do
!
ca generate ?
!
ASKER
Usage: capture <capture-name> [access-list <acl-name>] [buffer <buf-size>]
[ethernet-type <type>] [interface <if-name>]
[packet-length <bytes>]
clear capture <capture-name>
no capture <capture-name> [access-list] [interface <if-name>]
show capture [<capture-name> [access-list <acl-name>] [count <number>]
[detail] [dump]]
[ethernet-type <type>] [interface <if-name>]
[packet-length <bytes>]
clear capture <capture-name>
no capture <capture-name> [access-list] [interface <if-name>]
show capture [<capture-name> [access-list <acl-name>] [count <number>]
[detail] [dump]]
ok
you need to go into the configuration mode, after the enable mode
at the # prompt, type: config t (enter)
then enter the commands above.
you need to go into the configuration mode, after the enable mode
at the # prompt, type: config t (enter)
then enter the commands above.
ASKER
That worked. thanks for the quick help!
ASKER
in response to the ca generate rsa key 1024 command
sho ver shows:
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.1(1)