topic Re: shh help in Network Security https://community.cisco.com/t5/network-security/shh-help/m-p/949546#M917578 <HTML><HEAD></HEAD><BODY><P>those ip's were juct changed for the post... but i get connection refused from putty</P></BODY></HTML> Thu, 26 Jun 2008 21:10:02 GMT Danny Guillory Jr 2008-06-26T21:10:02Z shh help https://community.cisco.com/t5/network-security/shh-help/m-p/949544#M917576 <P>Trying to figure out why i cannot ssh to my pix501 from a outside connection!</P><P></P><P>any ideas?</P><P></P><P>PIX Version 6.3(5)</P><P>interface ethernet0 auto</P><P>interface ethernet1 100full</P><P>nameif ethernet0 outside security0</P><P>nameif ethernet1 inside security100</P><P>enable password xxx</P><P>passwd xxx</P><P>hostname AB01-GR-PIX</P><P>domain-name tobar.COM</P><P>clock timezone CST -6</P><P>clock summer-time CDT recurring</P><P>fixup protocol dns maximum-length 512</P><P>fixup protocol ftp 21</P><P>fixup protocol h323 h225 1720</P><P>fixup protocol h323 ras 1718-1719</P><P>fixup protocol http 80</P><P>fixup protocol rsh 514</P><P>fixup protocol rtsp 554</P><P>fixup protocol sip 5060</P><P>fixup protocol sip udp 5060</P><P>fixup protocol skinny 2000</P><P>fixup protocol smtp 25</P><P>fixup protocol sqlnet 1521</P><P>fixup protocol tftp 69</P><P>names</P><P>name 10.4.2.0 AB01-GR</P><P>name 10.9.2.0 AB01-LF</P><P>access-list inside_outbound_nat0_acl permit ip AB01-GR 255.255.255.0 AB01-LF 255.255.255.0</P><P>access-list outside_cryptomap_40 permit ip AB01-GR 255.255.255.0 AB01-LF 255.255.255.0</P><P>no pager</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>ip address outside 45.10.15.74 255.255.255.248</P><P>ip address inside 10.4.2.30 255.255.255.0</P><P>ip audit info action alarm</P><P>ip audit attack action alarm</P><P>pdm location AB01-GR 255.255.255.0 inside</P><P>pdm location AB01-LF 255.255.255.0 inside</P><P>pdm location AB01-LF 255.255.255.0 outside</P><P>pdm logging informational 100</P><P>pdm history enable</P><P>arp timeout 14400</P><P>global (outside) 1 interface</P><P>nat (inside) 0 access-list inside_outbound_nat0_acl</P><P>route outside 0.0.0.0 0.0.0.0 65.100.175.78 1</P><P>timeout xlate 0:05:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00</P><P>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00</P><P>timeout sip-disconnect 0:02:00 sip-invite 0:03:00</P><P>timeout uauth 0:05:00 absolute</P><P>aaa-server TACACS+ protocol tacacs+</P><P>aaa-server TACACS+ max-failed-attempts 3</P><P>aaa-server TACACS+ deadtime 10</P><P>aaa-server RADIUS protocol radius</P><P>aaa-server RADIUS max-failed-attempts 3</P><P>aaa-server RADIUS deadtime 10</P><P>aaa-server LOCAL protocol local</P><P>http server enable</P><P>http AB01-LF 255.255.255.0 inside</P><P>http AB01-GR 255.255.255.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server community public</P><P>no snmp-server enable traps</P><P>floodguard enable</P><P>sysopt connection permit-ipsec</P><P>crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac</P><P>crypto map outside_map 40 ipsec-isakmp</P><P>crypto map outside_map 40 match address outside_cryptomap_40</P><P>crypto map outside_map 40 set peer 12.166.199.2</P><P>crypto map outside_map 40 set transform-set ESP-DES-MD5</P><P>crypto map outside_map interface outside</P><P>isakmp enable outside</P><P>isakmp key ******** address 12.166.199.2 netmask 255.255.255.255 no-xauth no-config-mode</P><P>isakmp policy 20 authentication pre-share</P><P>isakmp policy 20 encryption des</P><P>isakmp policy 20 hash md5</P><P>isakmp policy 20 group 1</P><P>isakmp policy 20 lifetime 86400</P><P>telnet AB01-GR 255.255.255.0 inside</P><P>telnet AB01-LF 255.255.255.0 inside</P><P>telnet timeout 5</P><P>ssh 0.0.0.0 0.0.0.0 outside</P><P>ssh timeout 5</P><P>management-access inside</P><P>console timeout 0</P><P>dhcpd address 10.4.2.150-10.4.2.180 inside</P><P>dhcpd dns 10.9.2.5 10.9.2.6</P><P>dhcpd lease 3600</P><P>dhcpd ping_timeout 750</P><P>dhcpd domain abvalve.com</P><P>dhcpd auto_config outside</P><P>dhcpd enable inside</P><P>terminal width 80</P><P>Cryptochecksum:xxx</P><P>: end</P><P></P> Mon, 11 Mar 2019 13:06:07 GMT https://community.cisco.com/t5/network-security/shh-help/m-p/949544#M917576 Danny Guillory Jr 2019-03-11T13:06:07Z Re: shh help https://community.cisco.com/t5/network-security/shh-help/m-p/949545#M917577 <HTML><HEAD></HEAD><BODY><P>Couple of things</P><P></P><P>Not a good idea to post config with public IP addresses in it although i suspect you have changed them ??</P><P></P><P>Your outside interface is 45.10.15.74 </P><P>Your default route is 65.100.175.78</P><P></P><P>So it looks like you have modified your addressing ?</P><P></P><P>Anyway, when you try to ssh how far do you get ?</P><P></P><P>Jon</P></BODY></HTML> Thu, 26 Jun 2008 21:04:04 GMT https://community.cisco.com/t5/network-security/shh-help/m-p/949545#M917577 Jon Marshall 2008-06-26T21:04:04Z Re: shh help https://community.cisco.com/t5/network-security/shh-help/m-p/949546#M917578 <HTML><HEAD></HEAD><BODY><P>those ip's were juct changed for the post... but i get connection refused from putty</P></BODY></HTML> Thu, 26 Jun 2008 21:10:02 GMT https://community.cisco.com/t5/network-security/shh-help/m-p/949546#M917578 Danny Guillory Jr 2008-06-26T21:10:02Z Re: shh help https://community.cisco.com/t5/network-security/shh-help/m-p/949547#M917579 <HTML><HEAD></HEAD><BODY><P>Do you know if ssh works from the inside ?</P><P></P><P></P></BODY></HTML> Thu, 26 Jun 2008 21:15:21 GMT https://community.cisco.com/t5/network-security/shh-help/m-p/949547#M917579 Jon Marshall 2008-06-26T21:15:21Z Re: shh help https://community.cisco.com/t5/network-security/shh-help/m-p/949548#M917580 <HTML><HEAD></HEAD><BODY><P>nope but let me try</P></BODY></HTML> Thu, 26 Jun 2008 21:15:47 GMT https://community.cisco.com/t5/network-security/shh-help/m-p/949548#M917580 Danny Guillory Jr 2008-06-26T21:15:47Z Re: shh help https://community.cisco.com/t5/network-security/shh-help/m-p/949549#M917581 <HTML><HEAD></HEAD><BODY><P>conf t</P><P>ca generate rsa key 2048</P><P></P><P>after that try again ssh</P></BODY></HTML> Thu, 26 Jun 2008 21:16:00 GMT https://community.cisco.com/t5/network-security/shh-help/m-p/949549#M917581 a.alekseev 2008-06-26T21:16:00Z Re: shh help https://community.cisco.com/t5/network-security/shh-help/m-p/949550#M917582 <HTML><HEAD></HEAD><BODY><P>yeah i can ssh from inside</P><P></P><P>NOT outside</P><P></P></BODY></HTML> Thu, 26 Jun 2008 21:23:09 GMT https://community.cisco.com/t5/network-security/shh-help/m-p/949550#M917582 Danny Guillory Jr 2008-06-26T21:23:09Z Re: shh help https://community.cisco.com/t5/network-security/shh-help/m-p/949551#M917583 <HTML><HEAD></HEAD><BODY><P>I can test ie. see if i get a prompt if you let me know public IP </P><P></P><P><A href="mailto:jon.marshall4@btinternet.com">jon.marshall4@btinternet.com</A></P><P></P><P>but obviously you don't have to.</P><P></P><P>Jon</P></BODY></HTML> Thu, 26 Jun 2008 21:28:01 GMT https://community.cisco.com/t5/network-security/shh-help/m-p/949551#M917583 Jon Marshall 2008-06-26T21:28:01Z Re: shh help https://community.cisco.com/t5/network-security/shh-help/m-p/949552#M917585 <HTML><HEAD></HEAD><BODY><P>maybe your provider is blocking SSH?</P></BODY></HTML> Thu, 26 Jun 2008 21:41:37 GMT https://community.cisco.com/t5/network-security/shh-help/m-p/949552#M917585 a.alekseev 2008-06-26T21:41:37Z Re: shh help https://community.cisco.com/t5/network-security/shh-help/m-p/949553#M917587 <HTML><HEAD></HEAD><BODY><P>no, because i can ssh into the 506e thats the 501's are VPN'ing into!</P></BODY></HTML> Fri, 27 Jun 2008 12:46:27 GMT https://community.cisco.com/t5/network-security/shh-help/m-p/949553#M917587 Danny Guillory Jr 2008-06-27T12:46:27Z Re: shh help https://community.cisco.com/t5/network-security/shh-help/m-p/949554#M917589 <HTML><HEAD></HEAD><BODY><P>here is a good PIX config... </P><P></P><P>PIX Version 6.3(5)</P><P>interface ethernet0 auto</P><P>interface ethernet1 100full</P><P>nameif ethernet0 outside security0</P><P>nameif ethernet1 inside security100</P><P>enable password qaAv.Ii3BE9UHjeE encrypted</P><P>passwd lfL9YkXcpVI8j9gT encrypted</P><P>hostname AB01-CC-PIX</P><P>domain-name rupurt.com</P><P>fixup protocol dns maximum-length 512</P><P>fixup protocol ftp 21</P><P>no fixup protocol h323 h225 1720</P><P>no fixup protocol h323 ras 1718-1719</P><P>fixup protocol http 80</P><P>no fixup protocol rsh 514</P><P>no fixup protocol rtsp 554</P><P>no fixup protocol sip 5060</P><P>no fixup protocol sip udp 5060</P><P>no fixup protocol skinny 2000</P><P>fixup protocol smtp 25</P><P>no fixup protocol sqlnet 1521</P><P>no fixup protocol tftp 69</P><P>names</P><P>name 10.7.2.0 AB01-CC</P><P>name 10.9.2.0 AB01-LF</P><P>access-list inside_outbound_nat0_acl permit ip AB01-CC 255.255.255.0 AB01-LF 255.255.255.0</P><P>access-list outside_cryptomap_100 permit ip AB01-CC 255.255.255.0 AB01-LF 255.255.255.0</P><P>no pager</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>no ip address outside</P><P>ip address inside 10.7.2.30 255.255.255.0</P><P>ip audit info action alarm</P><P>ip audit attack action alarm</P><P>pdm location AB01-CC 255.255.255.0 inside</P><P>pdm location AB01-LF 255.255.255.0 inside</P><P>pdm logging informational 100</P><P>pdm history enable</P><P>arp timeout 14400</P><P>global (outside) 1 interface</P><P>nat (inside) 0 access-list inside_outbound_nat0_acl</P><P>static (inside,outside) 68.213.152.84 10.7.2.13 netmask 255.255.255.255 0 0</P><P>route outside 0.0.0.0 0.0.0.0 68.213.152.81 1</P><P>timeout xlate 0:05:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00</P><P>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00</P><P>timeout sip-disconnect 0:02:00 sip-invite 0:03:00</P><P>timeout uauth 0:05:00 absolute</P><P>aaa-server TACACS+ protocol tacacs+</P><P>aaa-server TACACS+ max-failed-attempts 3</P><P>aaa-server TACACS+ deadtime 10</P><P>aaa-server RADIUS protocol radius</P><P>aaa-server RADIUS max-failed-attempts 3</P><P>aaa-server RADIUS deadtime 10</P><P>aaa-server LOCAL protocol local</P><P>http server enable</P><P>http 0.0.0.0 0.0.0.0 outside</P><P>http AB01-CC 255.255.255.0 inside</P><P>http AB01-LF 255.255.255.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server community public</P><P>no snmp-server enable traps</P><P>floodguard enable</P><P>sysopt connection permit-ipsec</P><P>crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac</P><P>crypto map outside_map 100 ipsec-isakmp</P><P>crypto map outside_map 100 match address outside_cryptomap_100</P><P>crypto map outside_map 100 set peer 69.2.60.228</P><P>crypto map outside_map 100 set transform-set ESP-DES-MD5</P><P>crypto map outside_map interface outside</P><P>isakmp enable outside</P><P>isakmp key ******** address 12.166.199.2 netmask 255.255.255.255 no-xauth no-config-mode</P><P>isakmp key ******** address 69.2.60.228 netmask 255.255.255.255 no-xauth no-config-mode</P><P>isakmp policy 20 authentication pre-share</P><P>isakmp policy 20 encryption des</P><P>isakmp policy 20 hash md5</P><P>isakmp policy 20 group 1</P><P>isakmp policy 20 lifetime 86400</P><P>telnet AB01-CC 255.255.255.0 inside</P><P>telnet AB01-LF 255.255.255.0 inside</P><P>telnet timeout 5</P><P>ssh 0.0.0.0 0.0.0.0 outside</P><P>ssh 0.0.0.0 0.0.0.0 inside</P><P>ssh timeout 5</P><P>management-access inside</P><P>console timeout 0</P><P>dhcpd address 10.7.2.100-10.7.2.130 inside</P><P>dhcpd dns 10.9.2.5 10.9.2.6</P><P>dhcpd lease 3600</P><P>dhcpd ping_timeout 750</P><P>dhcpd domain rupert.com</P><P>dhcpd auto_config outside</P><P>dhcpd enable inside</P><P>terminal width 80</P><P>Cryptochecksum:xxx</P><P>: end</P><P></P></BODY></HTML> Fri, 27 Jun 2008 12:52:40 GMT https://community.cisco.com/t5/network-security/shh-help/m-p/949554#M917589 Danny Guillory Jr 2008-06-27T12:52:40Z Re: shh help https://community.cisco.com/t5/network-security/shh-help/m-p/949555#M917591 <HTML><HEAD></HEAD><BODY><P>Forgot Outside Ip...</P><P></P><P>PIX Version 6.3(5)</P><P>interface ethernet0 auto</P><P>interface ethernet1 100full</P><P>nameif ethernet0 outside security0</P><P>nameif ethernet1 inside security100</P><P>enable password xxx</P><P>passwd xxx</P><P>hostname AB01-CC-PIX</P><P>domain-name abvalve.com</P><P>fixup protocol dns maximum-length 512</P><P>fixup protocol ftp 21</P><P>no fixup protocol h323 h225 1720</P><P>no fixup protocol h323 ras 1718-1719</P><P>fixup protocol http 80</P><P>no fixup protocol rsh 514</P><P>no fixup protocol rtsp 554</P><P>no fixup protocol sip 5060</P><P>no fixup protocol sip udp 5060</P><P>no fixup protocol skinny 2000</P><P>fixup protocol smtp 25</P><P>no fixup protocol sqlnet 1521</P><P>no fixup protocol tftp 69</P><P>names</P><P>name 10.7.2.0 AB01-CC</P><P>name 10.9.2.0 AB01-LF</P><P>access-list inside_outbound_nat0_acl permit ip AB01-CC 255.255.255.0 AB01-LF 255.255.255.0</P><P>access-list outside_cryptomap_100 permit ip AB01-CC 255.255.255.0 AB01-LF 255.255.255.0</P><P>no pager</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>ip address outside 68.x.x.84 255.255.255.248</P><P>ip address inside 10.7.2.30 255.255.255.0</P><P>ip audit info action alarm</P><P>ip audit attack action alarm</P><P>pdm location AB01-CC 255.255.255.0 inside</P><P>pdm location AB01-LF 255.255.255.0 inside</P><P>pdm logging informational 100</P><P>pdm history enable</P><P>arp timeout 14400</P><P>global (outside) 1 interface</P><P>nat (inside) 0 access-list inside_outbound_nat0_acl</P><P>static (inside,outside) 68.213.152.84 10.7.2.13 netmask 255.255.255.255 0 0</P><P>route outside 0.0.0.0 0.0.0.0 68.213.152.81 1</P><P>timeout xlate 0:05:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00</P><P>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00</P><P>timeout sip-disconnect 0:02:00 sip-invite 0:03:00</P><P>timeout uauth 0:05:00 absolute</P><P>aaa-server TACACS+ protocol tacacs+</P><P>aaa-server TACACS+ max-failed-attempts 3</P><P>aaa-server TACACS+ deadtime 10</P><P>aaa-server RADIUS protocol radius</P><P>aaa-server RADIUS max-failed-attempts 3</P><P>aaa-server RADIUS deadtime 10</P><P>aaa-server LOCAL protocol local</P><P>http server enable</P><P>http 0.0.0.0 0.0.0.0 outside</P><P>http AB01-CC 255.255.255.0 inside</P><P>http AB01-LF 255.255.255.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server community public</P><P>no snmp-server enable traps</P><P>floodguard enable</P><P>sysopt connection permit-ipsec</P><P>crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac</P><P>crypto map outside_map 100 ipsec-isakmp</P><P>crypto map outside_map 100 match address outside_cryptomap_100</P><P>crypto map outside_map 100 set peer 69.2.60.228</P><P>crypto map outside_map 100 set transform-set ESP-DES-MD5</P><P>crypto map outside_map interface outside</P><P>isakmp enable outside</P><P>isakmp key ******** address 12.166.199.2 netmask 255.255.255.255 no-xauth no-config-mode</P><P>isakmp key ******** address 69.2.60.228 netmask 255.255.255.255 no-xauth no-config-mode</P><P>isakmp policy 20 authentication pre-share</P><P>isakmp policy 20 encryption des</P><P>isakmp policy 20 hash md5</P><P>isakmp policy 20 group 1</P><P>isakmp policy 20 lifetime 86400</P><P>telnet AB01-CC 255.255.255.0 inside</P><P>telnet AB01-LF 255.255.255.0 inside</P><P>telnet timeout 5</P><P>ssh 0.0.0.0 0.0.0.0 outside</P><P>ssh 0.0.0.0 0.0.0.0 inside</P><P>ssh timeout 5</P><P>management-access inside</P><P>console timeout 0</P><P>dhcpd address 10.7.2.100-10.7.2.130 inside</P><P>dhcpd dns 10.9.2.5 10.9.2.6</P><P>dhcpd lease 3600</P><P>dhcpd ping_timeout 750</P><P>dhcpd domain abvalve.com</P><P>dhcpd auto_config outside</P><P>dhcpd enable inside</P><P>terminal width 80</P><P>Cryptochecksum:xxx</P><P>: end</P><P></P></BODY></HTML> Fri, 27 Jun 2008 12:54:48 GMT https://community.cisco.com/t5/network-security/shh-help/m-p/949555#M917591 Danny Guillory Jr 2008-06-27T12:54:48Z Re: shh help https://community.cisco.com/t5/network-security/shh-help/m-p/949556#M917593 <HTML><HEAD></HEAD><BODY><P>using the configuration above i cannot ping the outside address either!</P></BODY></HTML> Fri, 27 Jun 2008 13:15:23 GMT https://community.cisco.com/t5/network-security/shh-help/m-p/949556#M917593 Danny Guillory Jr 2008-06-27T13:15:23Z