topic Re: ssh problem on pix firewall in Network Security

ssh problem on pix firewall

david.xu — Fri, 21 Feb 2020 06:21:12 GMT

I have pix firewall , PIX Version 6.1(1).

I am trying to configure for ssh login from outside.

I did configure the hostname ,domain name,ssh timeout, and

ssh x.x.x.x 255.255.255.0 outside

pass xxxx

but there is no AAA, and rsa .

The problem is stange.I can ssh into the pix by the usename pix and password after I configured , no any problem.but after I exit , I cannot login any more, there is just a quick freshing in the client software , and then go to "not connect".I did try another client software, it is same.

so I removed the ssh xxxx, and then I try the ssh again, it show me a message " remote host reject the session", so looks pix has the response. And then I add ssh xxxx again, the problem comes back.

I have a "access-group acl_in in interface outside" on outside interface, in the access list I didn't permit the port 22 on outside interface, does it affect the ssh connection?

I connect to internet through a NAT/PAT. Does it affect the ssh connection and cause the problem?

Re: ssh problem on pix firewall

david.xu — Wed, 06 Nov 2002 17:52:01 GMT

when I "sh logg", I saw there is a error message

"315004: Fail to establish SSH session because PIX RSA host key retrieval failed."

but I didn't use RSA key, do I have to use it, "ca gen rsa key 1024"?

Thanks,

david

Re: ssh problem on pix firewall

steve.barlow — Wed, 06 Nov 2002 20:59:08 GMT

Yes you need it. Here is a sample config of the commands needed:

hostname xxxx

domain-name xxxx

ca generate rsa key 1024

ca save all

ssh 10.10.10.10 255.255.255.255 outside

ssh timeout 60

Hope it helps.

Steve

Re: ssh problem on pix firewall

david.xu — Thu, 07 Nov 2002 18:58:21 GMT

Thanks for the help.

But I am still confused ,why the first time I can login by ssh without the RSA key, and then the problem happened without RSA key?

bug?

Re: ssh problem on pix firewall

hermann.pees — Tue, 26 Nov 2002 13:50:19 GMT

No , it isn't a bug . But in version 6.X you have to set the aaa command to access the pix.

use the following command

aaa authentication ssh console LOCAL

Im my opinion this will fix the problem .

regard

Hermann

Re: ssh problem on pix firewall

david.xu — Tue, 26 Nov 2002 17:36:20 GMT

Hi,Hermann

My version is 6.1, I didn't do aaa for console, but after I generate the rsa key and save it, my ssh is working fine now.

Thanks,

David