Avatar of forumsviewer

asked on 

PIX 501 - Telnet / SSH to configure remotely

We are sending off a PIX 501 Cisco router to one of our telecommuters in another state.  We want to be able to configure up the VPN and other settings of that unit from here (because we don't know his IP address yet due to his updated internet not installed).  So as of right now we can't configure the VPN on his unit.  We were thinking the best way of doing this is to telnet/SSH into his box once it is setup once he gives us the IP address.

How do you configure the box to open up for telnet (or) SSH so that we can just point to his public ip address and touch the router and login to the router and make all changes?

PIX 501 unit running PIX Version 6.3(5).  We will set his local pix 501 unit as

Please see the attached code snippet below.  I don't believe this is the correct way of doing this though.  Please comment.  Thank you.

access-list outside_access_in permit tcp any any eq ssh
static (inside,outside) tcp (PUBLIC_IP) ssh ssh netmask 0 0

Open in new window

Software FirewallsCiscoVulnerabilities

Avatar of undefined
Last Comment
Avatar of ddsteam

SSH is definitely the safer option here.
Firstly, configuring SSH access to the 192.168 interface is fairly useless, since you will be required to use the public interface when you connect to it.

Once he has allocated a public address to the device, it can be configured as follows:

Enter Enable mode. (en)
Enter Configuration mode. (conf t)
Type the following:

ssh A.B.C.D outside
ssh 192.168.Y.Z inside

(I'm assuming you've named the outside and inside interfaces as such)

A.B.C.D will be the public address the you will be connecting FROM.
192.168.Y.Z will be a private address inside the network.

It's always best to limit SSH access to a specific host.
If you'd like to open it up to a bigger range, simply change the subnet mask as required.

It's also a good idea to set your SSH timeout. I think the default is 60 seconds but you can change this according to your own preferences.


ssh timeout 120
Avatar of forumsviewer


ddsteam:  In testing right now, I have added the two SSH lines that you made mention.  I have done the following:

ssh A.B.C.D outside
ssh 192.168.Y.Z inside

A.B.C.D is the public IP address that I am currently on (primary location, connecting FROM this IP).

I then wrote it to memory.

I then went into putty, selected SSH, typed in E.F.G.H and connect.  It never did connect to the secondary location.

E.F.G.H (secondary location PIX public ip address).

Suggestions?  Do I need any static routes or access lists for SSH for this to work?  Any way I can debug/diagnose SSH to see if it is seeing it and just blocking it?
Avatar of ddsteam

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo