Re: Opening port 22 in pix 501

lexiainfo · ‎10-01-2005

I would like to open a port 22 (SSH) on the PIX 501. What commands do I need?

Thanks

jmia · ‎10-02-2005

I assume you asking for port 22 (SSH) to be opened through the PIX so that you can connect to an internal device on port 22 or are asking on how to enable SSH on the PIX?

I’ll answer both of my assumptions:

If you are asking to allow port 22 through the PIX then you’ll require an ACL on your outside interface and a static command to map to an internal device listening on port 22.

To enable SSH access on the PIX for remote administration, you’ll need the following:

- Define a hostname

- Define a domain name

- You’ll need to generate public/private RSA keys

- Specify the address allowed to access the PIX via SSH

Example:

In configuration mode:

hostname

domain-name

To generate the RSA keys, make sure that you have DES or 3DES enabled on your PIX – you can check by issuing: sho ver

pix (config) # ca generate rsa key

Key size can be: 512, 768, 1024 or 2048 – The larger the size, the more secure the connection will be.

pix (config) # ca save all

To view your generated RSA keys, issue: show ca mypubkey rsa

To permit access via SSH:

pix (config) # ssh

Ex:

SSH from outside – allowing any SSH connection:

pix (config) # ssh 0 0 outside

To allow a particular outside network access via SSH:

pix (config) # ssh 255.255.255.255 outside

Same for inside clients access via SSH but change the interface name from outside to inside.

To allow port 22 through the PIX to an internal device:

In configuration mode:

access-list outside_in permit tcp any host eq 22

access-group outside_in in interface outside

static (inside,outside) tcp interface 22 22 netmask 255.255.255.255 0 0

If you have available public IP address then you can substitute the with your public IP address and also change the static command appropriately i.e. substitute the interface command to your public IP.

Save with: write mem and also issue: clear xlate

From a security point of view, I would not recommend allowing 'any' connections via SSH. Instead I would recommend allowing a known host i.e. host to host connection.

You can obtain the SSH client freely, go to google and search for putty.exe

I hope all the above helps and let me know how you get on.

Jay

lexiainfo · ‎10-02-2005

Hi thanks for the quick reply, could you tell me exactly which ip this is -

Also, how can I lock it down to a known host as you suggested?

Thanks again

jackko · ‎10-02-2005

, that's the outside interface ip of the pix. you can verify this by looking at "ip address outside xxx.xxx.xxx.xxx "

to further restrict ssh access to the pix,

ssh outside

with the key word outside, it means ssh access is available on the outside interface. in case you want to ssh rather than telnet from the internal network in order to maximise the security level, you can

ssh inside

jmia · ‎10-02-2005

As Jack expalined on his post.

Jay

lexiainfo · ‎10-05-2005

Unable to open ports we followed all the istruction still same problem.

jackko · ‎10-06-2005

according to the latest config, the command below is missing.

ssh outside

e.g.

ssh 10.0.0.1 255.255.255.255 outside

with the command above, any host with ip 10.0.0.1 will be able to initiate ssh session to the pix. further you can apply a network with the command instead of a single host.

jackko · ‎10-06-2005

in case you want to open ssh access for all (testing purpose), you still need to configure it on the pix as below:

ssh 0.0.0.0 0.0.0.0 outside

rpathani · ‎10-09-2005

Looking at your pix config, you cannot ssh to your pix from outside but inside.

Note the following statement:

static (inside,outside) tcp interface ssh 192.168.2.110 ssh

Instead of terminating ssh connection on Pix, it gets bypassed to inside host 192.168.2.110 host.

If you remove this static command form the pix config, then you would be able to access pix via ssh from outside.

Rahul Pathania

rpathani@cisco.com