03-17-2008 09:53 AM - edited 03-11-2019 05:18 AM
Hi, I am working on a Pix 501 via a remote ssh connection, all was fine until I issued a reload command. Now I cannot get access to the PIX via SSH and a nmap scan shows port 22 is open but the service shows tcpwrapped. I have never seen this before, anyone know how to clear it? Thanks in advance.
Solved! Go to Solution.
03-17-2008 06:11 PM
Looks like you have not saved the SSH key and reloaded the PIX. After that you will not be able to login again until you regenerated the keys again.
If you have console access you can see the keys by typing:
show ca mypubkey rsa
If it does not show any key, then you do not have one.
sincerely
Patrick
03-17-2008 10:50 AM
hi,
Was the config saved before the reload? If not, then you will have to regenerate the ssh keys.
regards
John
03-17-2008 10:53 AM
John, yes, I did a write memory just before the reload. Can you tell me what tcpwrapped means?
I have never seen this before. Thanks, Mitchell
03-17-2008 12:28 PM
You have to save the ssh keys with the following command:
ca save all
To regenerate the keys use:
ca gen rsa key 1024
Reference:
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/c.html#wp1025120
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sysmgmt.html#wp1034079
The write memory does not save the ssh keys.
To use SSH, your PIX Firewall must have a DES or 3DES activation key and you must generate an RSA key-pair for the PIX Firewall before clients can connect to the PIX Firewall console. Use the ca generate rsa key 512 command to generate a key; change the modulus size from 512, as needed. After generating the RSA key, save the key using the ca save all command.
sincerely
Patrick
03-17-2008 01:05 PM
Hi Patrick, thanks for your post. My pix does have a 3DES activation key. I have been using SSH on this pix for several days with PuTTY and I did not generate an RSA key-pair, perhaps someone else did before me. It was working fine until I issued the reload command via SSH. When the RSA keys are missing do you get this issue with "tcpwrapped"?
03-17-2008 06:11 PM
Looks like you have not saved the SSH key and reloaded the PIX. After that you will not be able to login again until you regenerated the keys again.
If you have console access you can see the keys by typing:
show ca mypubkey rsa
If it does not show any key, then you do not have one.
sincerely
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide