Solved

Cisco PIX 501 won't allow SSH

Posted on 2009-05-09
2
1,361 Views
Last Modified: 2012-05-06
Our non-profit has a small network of clients that use our access to the Internet and we use the PIX to segregate their network from ours.  All is working except I cannot SSH into the PIX device.  I believe the necessary statements are in place but I can't log into it. (Putty) SSH rejects my login but I'm certain I'm using the correct username and password.  I can't see anything in my log either that would point out the problem; perhaps the logging isn't setup correct either. Any suggestions would be most helpful as I've spent a lot of time looking at the configuration and Internet postings.  I'm trying to SSH in from a PC on the 172.16.2.x network (directly attached to the PIX outside network.) Thank you.
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password aDU/SenosGi/7GR2 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Ph1ier
domain-name xxx
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.16.3.0 ComputerCenter
name 172.16.5.0 VineStreet
name 172.16.2.0 Vonlouhr
name 172.16.4.0 IntakeOffice
name 172.16.6.0 HaddOffice
name 1.1.1.1 Internet
name 172.16.2.3 Sulley
name 192.168.1.6 AP
name 172.16.2.18 gateway
object-group network AA
  network-object VineStreet 255.255.255.0
  network-object ComputerCenter 255.255.255.0
  network-object IntakeOffice 255.255.255.0
  network-object HaddOffice 255.255.255.0
  network-object Vonlouhr 255.255.255.0
object-group network AllowedACHA
  network-object Sulley 255.255.255.255
access-list inside_access_in permit icmp any host 172.16.2.1
access-list inside_access_in permit ip any host 172.16.2.1
access-list inside_access_in permit ip any host Sulley
access-list inside_access_in deny ip any object-group AA
access-list inside_access_in permit ip any any
access-list outside_access permit ip any object-group AA
pager lines 24
logging timestamp
logging console debugging
logging buffered debugging
logging history debugging
mtu outside 1500
mtu inside 1500
ip address outside 172.16.2.12 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Vonlouhr 255.255.255.0 outside
pdm location ComputerCenter 255.255.255.0 outside
pdm location IntakeOffice 255.255.255.0 outside
pdm location VineStreet 255.255.255.0 outside
pdm location HaddOffice 255.255.255.0 outside
pdm location 172.16.2.1 255.255.255.255 outside
pdm location Internet 255.255.255.255 outside
pdm location Sulley 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.0 outside
pdm location 172.16.2.13 255.255.255.255 outside
pdm location AP 255.255.255.255 inside
pdm location 172.16.2.4 255.255.255.255 outside
pdm group AA outside
pdm group AllowedACHA outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access in interface outside
access-group inside_access_in in interface inside
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 gateway 1
route inside AP 255.255.255.255 192.168.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http Vonlouhr 255.255.255.0 outside
http ComputerCenter 255.255.255.0 outside
snmp-server host outside 172.16.2.4
snmp-server location hereio
snmp-server contact Glenjamin
snmp-server community xxxx
snmp-server enable traps
floodguard enable
telnet Vonlouhr 255.255.255.0 outside
telnet ComputerCenter 255.255.255.0 outside
telnet timeout 5
ssh Vonlouhr 255.255.255.0 outside
ssh ComputerCenter 255.255.255.0 outside
ssh timeout 30
console timeout 0
dhcpd address 192.168.1.10-192.168.1.254 inside
dhcpd dns 151.197.0.39 151.197.0.38
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username administrator password Y.BiSvM.RMx5AQYI encrypted privilege 15
terminal width 80
Cryptochecksum:4da717754c339264ec128fd30840f4f1
: end
Ph1ier#

Open in new window

0
Comment
Question by:ejefferson213
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 24346509
Try using "pix" for the username and the enable password?
0
 

Author Closing Comment

by:ejefferson213
ID: 31579802
That was it. Thank you very much.  Strange that you don't see it in the configuration; guess it's built in.  
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question