Cisco PIX 501 won't allow SSH

Posted on 2009-05-09
Last Modified: 2012-05-06
Our non-profit has a small network of clients that use our access to the Internet and we use the PIX to segregate their network from ours.  All is working except I cannot SSH into the PIX device.  I believe the necessary statements are in place but I can't log into it. (Putty) SSH rejects my login but I'm certain I'm using the correct username and password.  I can't see anything in my log either that would point out the problem; perhaps the logging isn't setup correct either. Any suggestions would be most helpful as I've spent a lot of time looking at the configuration and Internet postings.  I'm trying to SSH in from a PC on the 172.16.2.x network (directly attached to the PIX outside network.) Thank you.
PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password aDU/SenosGi/7GR2 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname Ph1ier

domain-name xxx

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


name ComputerCenter

name VineStreet

name Vonlouhr

name IntakeOffice

name HaddOffice

name Internet

name Sulley

name AP

name gateway

object-group network AA

  network-object VineStreet

  network-object ComputerCenter

  network-object IntakeOffice

  network-object HaddOffice

  network-object Vonlouhr

object-group network AllowedACHA

  network-object Sulley

access-list inside_access_in permit icmp any host

access-list inside_access_in permit ip any host

access-list inside_access_in permit ip any host Sulley

access-list inside_access_in deny ip any object-group AA

access-list inside_access_in permit ip any any

access-list outside_access permit ip any object-group AA

pager lines 24

logging timestamp

logging console debugging

logging buffered debugging

logging history debugging

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm location Vonlouhr outside

pdm location ComputerCenter outside

pdm location IntakeOffice outside

pdm location VineStreet outside

pdm location HaddOffice outside

pdm location outside

pdm location Internet outside

pdm location Sulley outside

pdm location inside

pdm location outside

pdm location outside

pdm location outside

pdm location AP inside

pdm location outside

pdm group AA outside

pdm group AllowedACHA outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0 0

access-group outside_access in interface outside

access-group inside_access_in in interface inside

rip inside default version 1

route outside gateway 1

route inside AP 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http Vonlouhr outside

http ComputerCenter outside

snmp-server host outside

snmp-server location hereio

snmp-server contact Glenjamin

snmp-server community xxxx

snmp-server enable traps

floodguard enable

telnet Vonlouhr outside

telnet ComputerCenter outside

telnet timeout 5

ssh Vonlouhr outside

ssh ComputerCenter outside

ssh timeout 30

console timeout 0

dhcpd address inside

dhcpd dns

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

username administrator password Y.BiSvM.RMx5AQYI encrypted privilege 15

terminal width 80


: end


Open in new window

Question by:ejefferson213
LVL 79

Accepted Solution

lrmoore earned 500 total points
ID: 24346509
Try using "pix" for the username and the enable password?

Author Closing Comment

ID: 31579802
That was it. Thank you very much.  Strange that you don't see it in the configuration; guess it's built in.  

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now