Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SSH Connections

Status
Not open for further replies.
iceman84

iceman84

Technical User
Sep 6, 2006
5
US
My SSH certificate recently expired and I can no longer access my host on demand site. I installed the new certificate but I am still unable to connect. I believe my PIX is configured correctly but I am not sure.

Here is the config and ideas will be helpful:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name xxx.xx.xx.xx Mainframe

name 10.0.0.0 PCI

access-list inside_access_in permit icmp any any

access-list inside_outbound_nat0_acl permit ip 192.168.168.0 255.255.255.0 PCI 255.255.255.0

access-list outside_cryptomap_20 permit ip 192.168.168.0 255.255.255.0 PCI 255.255.255.0

access-list 101 permit ip 192.168.168.0 255.255.255.0 172.17.2.0 255.255.255.0

access-list 101 permit ip any 172.17.2.0 255.255.255.0

access-list 102 permit tcp any host 172.17.1.87

access-list 102 permit icmp any any

access-list outside_cryptomap_dyn_30 permit ip any 172.17.2.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip any 172.17.2.0 255.255.255.0

pager lines 24

logging on

logging timestamp

logging monitor debugging

logging buffered debugging

logging history debugging

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside xxx.xx.xx.xx 255.255.255.0

ip address inside 192.168.168.3 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool pcivpn 172.17.2.1-172.17.2.255

pdm location 192.168.0.2 255.255.255.255 inside

pdm location 192.168.0.0 255.255.255.0 inside

pdm location Mainframe 255.255.255.255 outside

pdm location PCI 255.255.255.0 outside

pdm location 192.168.168.0 255.255.255.0 inside

pdm location 172.17.2.0 255.255.255.0 outside

pdm logging debugging 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 192.168.168.0 255.255.255.0 0 0

access-group 102 in interface outside

route outside 0.0.0.0 0.0.0.0 199.34.64.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.0.0 255.255.255.0 inside

http 192.168.168.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community

snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap interface outside

isakmp enable outside

isakmp key address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local pcivpn outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup pci1 address-pool pcivpn

vpngroup pci1 dns-server xxx.xx.xx.xx

vpngroup pci1 default-domain atchleysystems.com

vpngroup pci1 split-tunnel 101

vpngroup pci1 idle-time 1800

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.168.110-192.168.168.141 inside

dhcpd dns xxx.xxx.xxx.xxx xxx.xx.xxx.xx

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80
 
Sort by date Sort by votes
make sure these lines are in there

ssh 0.0.0.0 0.0.0.0 outside (allows outside access)
ssh 192.168.168.0 255.255.255.0 inside (allows inside access)
ssh version 2 (tells it what version - 2 is better)

Also depending on the version you need to save your certificate.
Version 6x
ca generate rsa key key_modulus_size
ca save all

Version 7x
crypto key generate rsa modulus modulus_size
wri mem


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
I posted the question with incorrect information. We are using SSL to the mainframe not SSH.
 
Upvote 0 Downvote
OK, that's different
You will need a static pointing to you mainframe's IP and allow port 443 in through the inbound access list.

static (inside,outside) tcp [ExternalIP] 443 [InternalIP] 443 255.255.255.255

access-list 102 permit tcp any host [ExternalIP] eq 443


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

mattmontalto
  • Locked
  • Question
Connections Limit Reached
Replies
6
Views
362
mattmontalto
mattmontalto
CDIV
  • Locked
  • Question
How do I enable SSH access in 2960x 1
Replies
4
Views
913
iggsterman
iggsterman
chazzmanbm
  • Locked
  • Question
Cisco ASA 9.2 SSH Configuration
Replies
1
Views
212
iggsterman
iggsterman
PBoyerJr
  • Locked
  • Question
SSH Protocol Version 1 Session Key Retrieval Vulnerablity
Replies
0
Views
264
PBoyerJr
PBoyerJr
gmmastros
  • Locked
  • Question
Configuring failover with multiple connections
Replies
5
Views
195
gmmastros
gmmastros

Part and Inventory Search

Sponsor

Back
Top