Solved

Cisco PIX 501 won't allow SSH

Posted on 2009-05-09
2
1,350 Views
Last Modified: 2012-05-06
Our non-profit has a small network of clients that use our access to the Internet and we use the PIX to segregate their network from ours.  All is working except I cannot SSH into the PIX device.  I believe the necessary statements are in place but I can't log into it. (Putty) SSH rejects my login but I'm certain I'm using the correct username and password.  I can't see anything in my log either that would point out the problem; perhaps the logging isn't setup correct either. Any suggestions would be most helpful as I've spent a lot of time looking at the configuration and Internet postings.  I'm trying to SSH in from a PC on the 172.16.2.x network (directly attached to the PIX outside network.) Thank you.
PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password aDU/SenosGi/7GR2 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname Ph1ier

domain-name xxx

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 172.16.3.0 ComputerCenter

name 172.16.5.0 VineStreet

name 172.16.2.0 Vonlouhr

name 172.16.4.0 IntakeOffice

name 172.16.6.0 HaddOffice

name 1.1.1.1 Internet

name 172.16.2.3 Sulley

name 192.168.1.6 AP

name 172.16.2.18 gateway

object-group network AA

  network-object VineStreet 255.255.255.0

  network-object ComputerCenter 255.255.255.0

  network-object IntakeOffice 255.255.255.0

  network-object HaddOffice 255.255.255.0

  network-object Vonlouhr 255.255.255.0

object-group network AllowedACHA

  network-object Sulley 255.255.255.255

access-list inside_access_in permit icmp any host 172.16.2.1

access-list inside_access_in permit ip any host 172.16.2.1

access-list inside_access_in permit ip any host Sulley

access-list inside_access_in deny ip any object-group AA

access-list inside_access_in permit ip any any

access-list outside_access permit ip any object-group AA

pager lines 24

logging timestamp

logging console debugging

logging buffered debugging

logging history debugging

mtu outside 1500

mtu inside 1500

ip address outside 172.16.2.12 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location Vonlouhr 255.255.255.0 outside

pdm location ComputerCenter 255.255.255.0 outside

pdm location IntakeOffice 255.255.255.0 outside

pdm location VineStreet 255.255.255.0 outside

pdm location HaddOffice 255.255.255.0 outside

pdm location 172.16.2.1 255.255.255.255 outside

pdm location Internet 255.255.255.255 outside

pdm location Sulley 255.255.255.255 outside

pdm location 0.0.0.0 255.255.255.255 inside

pdm location 0.0.0.0 255.255.255.255 outside

pdm location 0.0.0.0 255.255.255.0 outside

pdm location 172.16.2.13 255.255.255.255 outside

pdm location AP 255.255.255.255 inside

pdm location 172.16.2.4 255.255.255.255 outside

pdm group AA outside

pdm group AllowedACHA outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside_access in interface outside

access-group inside_access_in in interface inside

rip inside default version 1

route outside 0.0.0.0 0.0.0.0 gateway 1

route inside AP 255.255.255.255 192.168.1.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http Vonlouhr 255.255.255.0 outside

http ComputerCenter 255.255.255.0 outside

snmp-server host outside 172.16.2.4

snmp-server location hereio

snmp-server contact Glenjamin

snmp-server community xxxx

snmp-server enable traps

floodguard enable

telnet Vonlouhr 255.255.255.0 outside

telnet ComputerCenter 255.255.255.0 outside

telnet timeout 5

ssh Vonlouhr 255.255.255.0 outside

ssh ComputerCenter 255.255.255.0 outside

ssh timeout 30

console timeout 0

dhcpd address 192.168.1.10-192.168.1.254 inside

dhcpd dns 151.197.0.39 151.197.0.38

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

username administrator password Y.BiSvM.RMx5AQYI encrypted privilege 15

terminal width 80

Cryptochecksum:4da717754c339264ec128fd30840f4f1

: end

Ph1ier#

Open in new window

0
Comment
Question by:ejefferson213
2 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 24346509
Try using "pix" for the username and the enable password?
0
 

Author Closing Comment

by:ejefferson213
ID: 31579802
That was it. Thank you very much.  Strange that you don't see it in the configuration; guess it's built in.  
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now