Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SSH Connection

Status
Not open for further replies.
mmohawk

mmohawk

IS-IT--Management
Jan 8, 2003
19
US
I'm in need of some assistance on my firewall 501 Pix. I'm trying to get through this mess that was left for me by the other administrator of our company that is no longer with us. I don't have a lot of knowledge on Pix configuration. I need a SSH connection set up for one of our software vendors to connect, update & configure one of our UNIX servers. This is the configuration at this point. It seems that an attempt was made to have this set up. Any help would be greatly appreciated.

PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXX encrypted
passwd XXXXXXX encrypted
hostname XXXXXXX
domain-name XXXXXXX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp host 63.67.208.68 host 216.47.250.*** eq 22
pager lines 24
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 216.47.250.*** 255.255.255.***
ip address inside 192.168.1.4 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.168.1.205-192.168.1.215
pdm history enable
arp timeout 14400
global (outside) 1 216.47.250.***
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 216.47.250.*** 192.168.1.4 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 216.47.250.*** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
telnet 192.168.1.53 255.255.255.255 inside
telnet timeout 5
ssh 63.76.208.0 255.255.255.0 outside
ssh 63.76.208.68 255.255.255.255 inside
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns 192.168.1.200
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username XXXXXXX password *******
vpdn enable outside
terminal width 80
Cryptochecksum:f97a4db4b84caf15929c72dce46d1e74

Thanks in advance...

Thanks, Mic
 
Sort by date Sort by votes
Do this generate this key
ca gen rsa key 1024
!--- Caution: The RSA key will not be saved without the CA SAVE ALL
command.
!--- The write mem command will not save it! In addition,if the PIX has
undergone a write erase
!--- or has been replaced, then cutting and pasting the old
configuration does not generate the key.
!--- You must re-enter the ca gen rsa key command.
!--- If there is a secondary PIX in a failover pair, doing write standby
will not copy the key
!--- from the primary to the secondary. You must also generate and save
the key on the secondary device.
ssh 172.18.124.114 255.255.255.255 inside
!! to enable ssh on the outside you can use to allow anyone to ssh in.
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60


 
Upvote 0 Downvote
assumption that:
vendors address = 63.67.208.68
your unix device inside/outside 192.168.1.4 / 216.47.250.*** (and your outside interface address is different than the static assigned to the unix device)

Your config looks right. Heres a couple of ideas on where to look.

Have you verified that the unix box is allowing ssh from the vendors source IP?

After the vendor makes an attempt, do a sho access list and see if your packet count is incrementing on access-l 101, if so the packets are making it to you.

If the access list is incrementing, you can use debug packet inside dst 192.168.1.4 netmask 255.255.255.255 (or whatever the syntax is, just be careful to make sure you only debug the packets you want) and watch your packets leave the firewall. If they leave the firewall then your problem is most likely not on the firewall.








 
Upvote 0 Downvote
On the Unix box I only have one NIC with an internal IP address. 192.168.1.5

Thanks, Mic
 
Upvote 0 Downvote
You need to change your static nat. It's currently set up to translate and allow ssh to the inside interface of the Pix (which won't work that way, anyway), not to the Unix server.

The "ssh" statements pertain only to ssh access _to_ the Pix, not _through_ it.
 
Upvote 0 Downvote
It is not possable to have an ssh connection to the UNIX box or do I need to add something to nat?

Thanks, Mic
 
Upvote 0 Downvote
You need to translate a public IP address to your internal Unix system's address. There is such a statement in your config:

static (inside,outside) 216.47.250.*** 192.168.1.4 netmask 255.255.255.255 0 0

However, you say that your Unix IP address is 192.168.1.5. Also, your Pix config indicates that its inside address is 192.168.1.4. So what you need instead is:

static (inside,outside) 216.47.250.*** 192.168.1.5 netmask 255.255.255.255 0 0

I'm also assuming that the *** in the static statement is different than the *** in your global statement.

Also, I just noticed the nat 0 and access-list 101. Get rid of the nat 0 line, you're not using it. Also, I'd delete the first line of access-list 101 since it's meaningless when applied to the outside interface.

That's all I see at the moment.
 
Upvote 0 Downvote
This is my current configuration. Yes the *** in the static statement is different than the global.

PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxx encrypted
passwd xxxxxxx encrypted
hostname xxxxxxx
domain-name xxxxxxx
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp host 63.67.208.68 host 216.47.250.*** eq 22
pager lines 24
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 216.47.250.*** 255.255.255.248
ip address inside 192.168.1.4 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.168.1.205-192.168.1.215
pdm history enable
arp timeout 14400
global (outside) 1 216.47.250.***
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 216.47.250.*** 192.168.1.5 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 216.47.250.*** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
telnet 192.168.1.53 255.255.255.255 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns 192.168.1.200
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username 3hammer password 3hamACCESS
vpdn enable outside
terminal width 80
Cryptochecksum:413da7758cabd64f6c8076116c074600

My vendor gets an error (ssh_exchange_identification: Connection closed by remote host) when he tries to connect.

Thanks, Mic
 
Upvote 0 Downvote
I've seen this, but I'm not sure. Check the host's /etc/hosts.allow and hosts.deny files, if any.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

mcisar
  • Locked
  • Question
Disable CHAP on PPPoE WAN connection
Replies
0
Views
101
mcisar
mcisar
Garbear
  • Locked
  • Question
TZ190 VPN Connection works but can't ping some IP's on either side
Replies
0
Views
65
Garbear
Garbear
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
245
nnaarrnn
nnaarrnn
NoCoolHandle
  • Locked
  • Question
TLS 1.0 vrs TLS 1.1 vrs 1.2 connection strategy question
Replies
1
Views
77
ChrisHirst
ChrisHirst
jfp23
  • Locked
  • Question
ASA 5512x 9.3 version Outbound connection issues
Replies
0
Views
62
jfp23
jfp23

Part and Inventory Search

Sponsor

Back
Top