01-12-2004 05:26 AM - edited 02-20-2020 11:11 PM
Is it true that a PIX device will not allow you to SSH to the device on an interface if the traffic goes through another interface on the PIX first? If so, is there a way to get around this? We don't route the main PIX interface over our network but we do route all others and would like to access the PIX itself using SSL thru them.
01-12-2004 05:57 AM
Hi..
You can use SSH to connect to your PIX on the outside interface, to allow this you'll require the following four parameters on the PIX:
1. Define a hostname
2. Define a domain name
3. Generate a public/private RSA key combination
4. Specify the address allowed to access the PIX via SSH
To generate the RSA key do:
In config mode on PIX..
> ca generate rsa key module-size
You'll need either DES or 3DES activated on the PIX to excute the above command, the module size can be 512,768,1024 or 2048. The larger the size of the module, the more secure the connection will be.
You can check the key generated by issuing (in config mode) : show ca mypubkey rsa
Remember to save the RSA Key with : ca save all
To permit specified addresses to establish a SSH connection to the PIX DO THE FOLLOWING:
> (In config mode) ssh ip_address [subnet_mask] [interface_name]
If you omit the subnet mask, it defaults to 255.255.255.255, no matter what class of address you enter.
> you can control the SSH timeout with cmd: ssh timeout
> you can view the SSH session on the PIX with cmd: show ssh sessions
To obtain a SSH Client goto either www.google.com and type Putty or goto www.sshcommunications.com and down load the SSH client.
NOTE: When you establish an SSH connection to the PIX, you'll first see the following info in you SSH session:
pix(config)#.
pix(config)#.
The . does not affect the SSH session but it is indicating to show you that the PIX is generating a server key or decrypting a message, in other words the PIX is busy setting up the connection. After this setup, the PIX will prompt you to enter a username, where you'll enter the username of pix, and then the telnet password, remember that the default telnet password is cisco.
Hope this helps out and let me know how you get on. Pleaseb rate this post if it helps you out so that others can use it.
Thanks, Jay.
01-12-2004 06:17 AM
Thanks Jay. Do I realy need all of this just to connect with SSH to another interface on the same PIX device? The PIX device is within our support network, inside the company but restricted to only support personnel administering the device. We want the support personnel to SSH to an interface on the PIX device after going thru device to get to that interface. We restrict anyone from accessing the primary PIX interface because we restrict anyone from accessing the backbone network that the PIX is attached to. This is why we require access to an interface other than the primary one using SSH but after going thru the primary to get to the interface. whew..... confusing..
01-12-2004 07:19 AM
You should be able to ssh to the pix so long as you can route to it. I really don't understand what you mean by the primary interface - do you mean the "inside" one, .ie., the one with the highest security level? Are people allowed to send packets across the "inside" network, but not directly connect to it?
01-12-2004 07:34 AM
We have a PIX device that has one connection to a backbone ethernet network, one interface connection to a switch managment network and one interface conection to a server network. We route the switch management network and the server network thru static routes off a router on the ethernet backbone network pointing to the PIX ethernet backbone interface. We don't route the PIX interface that supports the ethernet backbone out to our users directly because we don't what people to get other devices on the ethernet bacbone directly.
So... we want support personnel to access the PIX switch management interface using SSL to support the PIX device itself, which means that it must route thru the PIX's ethernet backbone interface first before it can SSL to the PIX's switch management interface. People are telling me that you can't do that. Is this true?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide