How do I setup the Pix 501 to accect telnet to the outside interface ? 2

[emso]

I want to access the telnet managment on the pix 501 from the outside interface. How may I do this ?

If I use VPN without IPSEC, is it possible then ?

 

[br0ck]

i would use SSH it's more secure than Telnet
telnet=clear text

with telnet someone can see the information being sent to the pix
NOT GOOD

ssh 0.0.0.0 0.0.0.0 outside
this will allow you to manage it from any ip outside the pix

ssh XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
replace the X's with an outsude ip and it will restrict access to just that ip

a good SSH client is Putty

http://www.tucows.com

has it and it's free!!

 

[themut]

Telnet to the outside is not possible unless it is through an IPSec tunnel. Try SSH instead as br0ck advised earlier.

 

[emso]

You mentioned Putty as a good SSH client, are there others you would recommend ?

 

[br0ck]

there out there

teraterm
SecureCRT
f-secure SSH

putty takes the cake in my opinion
the cut and paste function is very helpful when configuring and mod'ing cisco configs

and you cant beat the cost

 

[emso]

I put in ssh 0.0.0.0 0.0.0.0 outside

and tried to connect to the pix with putty, but i get "Connection closed by host" when I try to connect.¨

Ideas ??

 

[br0ck]

make sure you select SSH as the connection type
the default is telnet

the buttons below the IP box

 

[emso]

I did. (Chose SSH)

 

[br0ck]

stupid question's but

are you outside the PIX?

can you ping the pix?

do you get the auth prompt?

sh arp
see if your ssh host ip is listed

 

[emso]

Yes I am outside the Pix
No, we have disabled ping, but I may access it through vpn (Thats how I change the settings, by accessing a host on the inside, and telnetting to the pix.)
No, I dont get the auth prompt.

Where should I sh arp ? In the pix ?

 

[308win]

Have you generated a key on your pix?

something like
ca gen rsa key 768
ca save all

 

[br0ck]

hehe yea the key is key

 

[emso]

THANK YOU
Now it works !
To sum it up i used these commands:
ssh 0.0.0.0 0.0.0.0 outside
ca gen rsa key 768
ca save all
write mem
reboot

And it WORKS. Putty works fine also. Very nice logging feature...

Thanks a lot.

 

[yert33]

Thanks to everyone. I used the commands suggested for outside access to my PIX 520, works great and Putty is good, too.

But when I tried to do the very same thing to a PIX 506E, I time out when attempting to SSH in. Any clues??

TIA

Trey

 

[br0ck]

can you post the config

 

[yert33]

Sorry, I'm new to the PIX forum world. Should have included this in previous post.

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxxxx encrypted
hostname Abbey-LA-PIX
domain-name ourdomain.com
no fixup protocol ftp 21
no fixup protocol http 80
no fixup protocol h323 1720
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sqlnet 1521
no fixup protocol smtp 25
no fixup protocol skinny 2000
no fixup protocol sip 5060
names
name 198.1.2.2 asbnotes
access-list permit_in permit tcp any host x.x.x.x eq 1352
access-list permit_in permit tcp any host x.x.x.x eq smtp
access-list permit_in permit tcp any host x.x.x. eq www
access-list in_out permit ip any any
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.240
ip address inside 198.1.2.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location asbnotes 255.255.255.255 inside
pdm location 192.1.2.0 255.255.255.0 inside
pdm location 0.0.0.0 255.255.255.240 outside
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x netmask 255.255.255.240
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group permit_in in interface outside
access-group in_out in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http asbnotes 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 198.1.2.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 255.255.255.0 outside
ssh timeout 5
dhcpd address 198.1.2.101-198.1.2.202 inside
dhcpd dns 168.215.210.50 207.170.210.162
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain ourdomain.com
dhcpd enable inside
terminal width 80

I did the "ca gen rsa key 768" and "ca save all" also.

Thanks.

 

[br0ck]

remove
ssh 0.0.0.0 255.255.255.0 outside

add
ssh 0.0.0.0 0.0.0.0 outside

or ssh 0 0 outside (it's the same, just faster to type)

also

I think 198.x.x.x is publicly routed you might want to look into changing it to
192.168.x.x
172.16.x.x
10.x.x.x
Etc…


Depending on you routing/ subnetting needs

IP changing can be a large task so plan according

Good luck

 

[yert33]

That did it! Thank you.
One more: when SSH'ing in I get:
"The first cipher supported by the server is single-DES, which is below the configured warning threshold. Do you want to continue with this connection?"
I assume this is referring to my PuTTY configuration, correct? I don't get this warning when SSHing to my 520. Anything here that I should be concerned with?

Thanks br0ck.

 

[br0ck]

thats normal


putty is just telling you the connection information

 

[yert33]

Got it. THX