haywardmj
asked on
PIX 501 - Cannot connect remotely via SSH using PuTTY
I have several sites using a PIX 501, I can hit the outside interface using SSH on PuTTY from the main office with no problem, but from this one pix I cannot. Config is as follows:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname ******Pix
domain-name ****.org
clock timezone AKST -9
clock summer-time AKDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
<--- More --->
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.60.0 DMall
name 192.168.1.0 LaurelST
pager lines 24
icmp permit any inside
mtu outside 1485
mtu inside 1485
ip address outside pppoe setroute
ip address inside 192.168.60.201 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location DMall 255.255.255.0 inside
pdm location LaurelST 255.255.255.0 outside
pdm location LaurelST 255.255.255.0 inside
pdm location 000.000.000.000 255.255.255.255 outside
<--- More --->
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group LaurelST_access in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http LaurelST 255.255.255.0 inside
http DMall 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
<--- More --->
no snmp-server enable traps
floodguard enable
sysopt connection tcpmss 1300
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 000.000.000.000
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 000.000.000.000 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet DMall 255.255.255.0 inside
telnet LaurelST 255.255.255.0 inside
telnet timeout 5
ssh 000.000.000.000 255.255.255.255 outside
ssh timeout 60
console timeout 0
vpdn group pppoe_group request dialout pppoe
<--- More --->
vpdn group pppoe_group localname *******@**********.net
vpdn group pppoe_group ppp authentication pap
vpdn username ***********@**************
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
: end
Everywhere that the IP is listed as 000.000.000.000 is my company's external IP from the main office.
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname ******Pix
domain-name ****.org
clock timezone AKST -9
clock summer-time AKDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
<--- More --->
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.60.0 DMall
name 192.168.1.0 LaurelST
pager lines 24
icmp permit any inside
mtu outside 1485
mtu inside 1485
ip address outside pppoe setroute
ip address inside 192.168.60.201 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location DMall 255.255.255.0 inside
pdm location LaurelST 255.255.255.0 outside
pdm location LaurelST 255.255.255.0 inside
pdm location 000.000.000.000 255.255.255.255 outside
<--- More --->
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group LaurelST_access in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http LaurelST 255.255.255.0 inside
http DMall 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
<--- More --->
no snmp-server enable traps
floodguard enable
sysopt connection tcpmss 1300
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 000.000.000.000
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 000.000.000.000 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet DMall 255.255.255.0 inside
telnet LaurelST 255.255.255.0 inside
telnet timeout 5
ssh 000.000.000.000 255.255.255.255 outside
ssh timeout 60
console timeout 0
vpdn group pppoe_group request dialout pppoe
<--- More --->
vpdn group pppoe_group localname *******@**********.net
vpdn group pppoe_group ppp authentication pap
vpdn username ***********@**************
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
: end
Everywhere that the IP is listed as 000.000.000.000 is my company's external IP from the main office.
You dont need to do step 2 above....and I see you allow all to ssh to your outside interface. You probably want to lock that down. (use the IP or range you will be comming FROM...ssh 64.30.66.2 255.255.255.255 outside ...etc for a host.
ASKER
What is the proccess to regenerate SSH keys and can I do this without bringing down the pix? I will lock down the ssh using my ip at the main center. the address is just all zeros in this post for security's sake. I am assuming that command is
ssh 192.168.1.150 255.255.255.255 outside (ip of course will be different)
ssh 192.168.1.150 255.255.255.255 outside (ip of course will be different)
it something like "ca generate rsa xx xx xx", I don't exactly remember but definitely starts with ca. OR try "crypto key generate xxx xx"
Hope this helps :-).
Hope this helps :-).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1) Regenerate you SSH keys, make sure to do "ca save all" after you regenerate them
2) There is a command something to the effect of "aaa-server SSH authentication console LOCAL" OR "ssh authentication LOCAL", something like that, I don't have access to a PIX6.3 otherwise I would tell you the exact command.
Let me know if this works :-).