forumsviewer
asked on
PIX 501 - Telnet / SSH to configure remotely
We are sending off a PIX 501 Cisco router to one of our telecommuters in another state. We want to be able to configure up the VPN and other settings of that unit from here (because we don't know his IP address yet due to his updated internet not installed). So as of right now we can't configure the VPN on his unit. We were thinking the best way of doing this is to telnet/SSH into his box once it is setup once he gives us the IP address.
How do you configure the box to open up for telnet (or) SSH so that we can just point to his public ip address and touch the router and login to the router and make all changes?
PIX 501 unit running PIX Version 6.3(5). We will set his local pix 501 unit as 192.168.55.1
Please see the attached code snippet below. I don't believe this is the correct way of doing this though. Please comment. Thank you.
How do you configure the box to open up for telnet (or) SSH so that we can just point to his public ip address and touch the router and login to the router and make all changes?
PIX 501 unit running PIX Version 6.3(5). We will set his local pix 501 unit as 192.168.55.1
Please see the attached code snippet below. I don't believe this is the correct way of doing this though. Please comment. Thank you.
access-list outside_access_in permit tcp any any eq ssh
static (inside,outside) tcp (PUBLIC_IP) ssh 192.168.55.1 ssh netmask 255.255.255.255 0 0
Last Comment
ASKER
ddsteam: In testing right now, I have added the two SSH lines that you made mention. I have done the following:
ssh A.B.C.D 255.255.255.255 outside
ssh 192.168.Y.Z 255.255.255.0 inside
A.B.C.D is the public IP address that I am currently on (primary location, connecting FROM this IP).
I then wrote it to memory.
I then went into putty, selected SSH, typed in E.F.G.H and connect. It never did connect to the secondary location.
E.F.G.H (secondary location PIX public ip address).
Suggestions? Do I need any static routes or access lists for SSH for this to work? Any way I can debug/diagnose SSH to see if it is seeing it and just blocking it?
ssh A.B.C.D 255.255.255.255 outside
ssh 192.168.Y.Z 255.255.255.0 inside
A.B.C.D is the public IP address that I am currently on (primary location, connecting FROM this IP).
I then wrote it to memory.
I then went into putty, selected SSH, typed in E.F.G.H and connect. It never did connect to the secondary location.
E.F.G.H (secondary location PIX public ip address).
Suggestions? Do I need any static routes or access lists for SSH for this to work? Any way I can debug/diagnose SSH to see if it is seeing it and just blocking it?
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Cisco
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).
27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
Firstly, configuring SSH access to the 192.168 interface is fairly useless, since you will be required to use the public interface when you connect to it.
Once he has allocated a public address to the device, it can be configured as follows:
Enter Enable mode. (en)
Enter Configuration mode. (conf t)
Type the following:
ssh A.B.C.D 255.255.255.255 outside
ssh 192.168.Y.Z 255.255.255.255 inside
(I'm assuming you've named the outside and inside interfaces as such)
A.B.C.D will be the public address the you will be connecting FROM.
192.168.Y.Z will be a private address inside the network.
It's always best to limit SSH access to a specific host.
If you'd like to open it up to a bigger range, simply change the subnet mask as required.
It's also a good idea to set your SSH timeout. I think the default is 60 seconds but you can change this according to your own preferences.
Command:
ssh timeout 120