SSH / PDM on the Outside Interface

[enacht]

Dear Experts,

after studying sever news groups and searching the forum here, i still haven't found an answer to what i'm looking for.

Having made bad experience with other firewalls in the past, we switched to a PIX 515E. Due to the bad experience, it happened sometimes that the non-pix firewalls became unresponsive on the LAN (Inside) port and had to be rebooted from remote, since access to the colocation facility isn't possible 24/7 (or only at a very high cost).

I've been trying to find a way to be able to SSH to the PIX from remote, or access PDM from remote.

I've created the rules and everything I think, but i still don't get an SSH or PDM connection to the pix. Thus i'm wondering if it's possible at all to connect via SSH to the outside port of the PIX at all (PDM is not really necessary).

I can't paste the rules at the moment, since i'm at home and can't access the PIX currently (due to lacking SSH acess ).

Any ideas on this would be greatly appreciated

Emanuel


--
the router thought it was a printer

 

[tbissett]

Yes, it is possible to SSH or PDM to the outside interface with the following commands:
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
http xxx.xxx.xxx.xxx 255.255.255.255 outside
(where the x's are the IP of your workstation)

Also, be sure you have a key generated on the PIX, or else the above commands will not work. Doa "ca sh mypubkey rsa" If you don't get anything back, the following commands will generate a key on the PIX.
ca generate rsa key 1024
ca save all

 

[rhanda]

To ssh give the following commands on pix

1. ssh 0.0.0.0 0.0.0.0 outside
2. ca generate rsa key 1024
3. domain-name name
4. ca save all

To see the rsa keys generated on the pix give this command

show ca mypubkey rsa

 

[enacht]

thanks alot, i'll get it done asap
emanuel

--
the router thought it was a printer

 

[enacht]

I did as you mentioned above, for the remote access through SSH. still, when I try to SSH to the outside interface IP, i get a "connection refused".

i did the following:

- generated the CA, pasted it to ~/.ssh/known_hosts on a box on the DMZ interface
- ssh the DMZ interface, works i can get in

- added the CA to ~/.ssh/known_hosts on a box on the OUTSIDE interface (different network, office location)
- on the pix: ssh xxx.xxx.90.29 255.255.255.255 outside
- on the box on the outside interface
ssh xxx.xxx.222.186 -cDES -lpix

i get
ssh: connect to address xxx.xxx.222.186 port 22: Connection refused

i also tried ssh 0.0.0.0 0.0.0.0 outside

same game, a no go.. am I missing something here?

thanks in advance

Emanuel

--
the router thought it was a printer

 

[tbissett]

I would check the SSH version on the outside box... Make sure it can do SSH version 1 and not just version 2. The PIX only support SSH version 1.

 

[enacht]

yup checked that, it does support SSH version 1.
tried it also with Putty, Terraterm, SecureCRT, couple different SSH Clients.

It's just weird that I get almost instantly a connection refused, not like the the connection gets established then the PIX closes the connection.

I also did it "by the book", same game a no-go. is it Version dependant to allow SSH connections on the outside interface? Current version is 6.1(x).

Emanuel


--
the router thought it was a printer

 

[BuckWeet]

I've tried to do this with telnet, never got it to work either..

BuckWeet

 

[yizhar]

HI.

Keep trying.
SSH works for me on several pix devices with no problem.

Look at the "sh ver" of the pix - do you have DES enabled?
Did you follow the post of "rhanda" above? Did you get any error message at the pix?

> xxx.xxx.222.186
Is that the address of the pix outside interface?
Is this same ip used also for "static" ?

Use syslog messages at the pix - do you get any related message?



Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[enacht]

Hello yizhar


i followed what rhanda posted above 1:1

sh ver states:
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES: Disabled
Maximum Interfaces: 3
Cut-through Proxy: Enabled
Guards: Enabled
Websense: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
ISAKMP peers: Unlimited

- xxx.xxx.222.186 is te outside interface
- this ip isn't used in any static statement. do I need to add a static statement like

static (outside,outside) 0.0.0.0 xxx.xxx.222.186 netmask 255.255.255.255 0 0

i'm not too sure, and since the firewall is running live now i don't want to do any experiments and cause to fubar the config

thanks in advance

Emanuel



--
the router thought it was a printer

 

[yizhar]

HI.

>... do I need to add a static statement like
No, you should not.
I just wanted to verify that the ip is NOT used for something else.


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[enacht]

hello yizhar

the only message in syslog i get is:

Jun 23 13:10:29 xxx.xxx.xxx.xxx %PIX-6-302001: Built inbound TCP connection 6919583 for faddr xxx.xxx.xxx.29/58313 gaddr xxx.xxx.222.186/22 laddr 192.168.0.2/22

and the only record i have with 192.168.0.2 is:
static (inside,outside) interface 192.168.0.2 netmask 255.255.255.255 0 0

and well, nothing happens until the connection times out.


debug ssh doesn't show anything..

maybe this helps to clearing up this problem?

Regards

Emanuel

--
the router thought it was a printer

 

[bwilliam13]

Well, you're missing a pretty important point here:

By default on PIX versions 5.3 and later, everything is denied.

If you want to connect to the PIX's outside interface, take out that static line.

Then, explicitly ALLOW ssh access to the external IP of the pix with an access list...otherwise, your connection is going to keep getting denied.

Also, do a "ssh timeout somenumberabove1" command so that your connection isn't sitting there open forever.

 

[yizhar]

HI.

> static (inside,outside) interface 192.168.0.2
You should remove that line.


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[enacht]

okay, i removed that line, write mem.

since i need ssh access from outside to dmz, i have an access-list that reads:

access-list outside_access_in permit tcp any any eq 22

so i've added another ACL for the outside interface

access-list outside_outside permit tcp any host xxx.xxx.222.186 eq 22

show access-list shows a hitcount of 0 tho for this acl.

any for now, tightened down once i get this thing working.

but still a no-go. i bet i'm going on your nerves by now and you'd love to scream "get an expert to do it"


and the syslog still says the same
Jun 24 10:47:42 xxx.xxx.xxx.xxx PIX-6-302001: Built inbound TCP connection 7389458 for faddr xxx.xxx.90.29/34487 gaddr xxx.xxx.222.186/22 laddr 192.168.0.2/22

this is driving me nuts slowly but for sure :/

i can post up the whole config of the pix if this would help..

thanks

emanuel

--
the router thought it was a printer

 

[enacht]

okay, i removed that line, write mem.

since i need ssh access from outside to dmz, i have an access-list that reads:

access-list outside_access_in permit tcp any any eq 22

so i've added another ACL for the outside interface

access-list outside_outside permit tcp any host xxx.xxx.222.186 eq 22

show access-list shows a hitcount of 0 tho for this acl.

any for now, tightened down once i get this thing working.

but still a no-go. i bet i'm going on your nerves by now and you'd love to scream "get an expert to do it"


and the syslog still says the same
Jun 24 10:47:42 xxx.xxx.xxx.xxx PIX-6-302001: Built inbound TCP connection 7389458 for faddr xxx.xxx.90.29/34487 gaddr xxx.xxx.222.186/22 laddr 192.168.0.2/22

this is driving me nuts slowly but for sure :/

i can post up the whole config of the pix if this would help..

thanks

emanuel

--
the router thought it was a printer

 

[bwilliam13]

Well, what you're saying you now want to do is completely different than what you posted in your original message.

In your original message you said/implied that you wanted to SSH to the PIX itself. Tell me something, are you actually wanting to SSH to the PIX itself or a machine in it's DMZ?

If you are ssh'ing to a machine in the DMZ, you need more than 2 lines. At minimum, you need:

1. a static line mapping the DMZ host to an external host
2. an access-list allowing ssh access to that public ip address from any host
3. an access-list allowing ssh access to 192.168.0.2 from any host

After you have these 3 rules, you can tighten it down further from there after you know it's working.

If this is a unix/linux host, you need to make sure that you have tcpwrappers set up to allow you to ssh in...otherwise, all the tinkering in the world with this firewall isn't going to do a bit of good.

I encourage you to be specific on what you are trying to do in the future. If you want to SSH to a host on the other side of the firewall, SAY that. Don't say you're trying to ssh to the PIX...because that's NOT what you're trying to do.

Also, don't do all that junk with the .ssh whatever. Just try to ssh to pix@whateverhost and see if it works. It should ask you if you want to save the key automatically, and if you choose yes, it will.

 

[enacht]

all I need is SSH to the PIX itself, nothing less nothing more.

sorry if I was unlcear about it in the previous post. it's just that it's driving me nuts. I've been doing everything that has been proposed here, i've been doing it according to the manual, and all i get is a connection timed out/refused.


Emanuel

--
the router thought it was a printer

 

[tbissett]

Is there a chance you're trying to SSH from a Linux machine, one that was built not too long ago? The reason I ask is some flavors of Linux (RedHat is one of them) will not allow version 1 with anything less than 3DES. I had this problem at one of my sites to discover their firewall didn't have 3DES enabled (as yours doesn't from the 'show ver' above). If I SSH'd in from the PuTTY Windows client, it worked fine, but Linux was a no-go.

Upgrading the firewall to 3DES fixed it up. Have you tried SSHing from something other than your current host?

 

[enacht]

I've tried SSH from different RedHat Boxes, aswell as from windows through SecureCRT and PuTTy, always to the same avail: Connection Timed Out.

The Log always says the same when the connection gets established, something along:

Built inbound TCP connection 7389458 for faddr source_ip/34487 gaddr pix_outside_interface_ip/22 laddr 192.168.0.2/22


under SSH I have the following in the config:

ssh 0.0.0.0 0.0.0.0 outside
ssh xxx.xxx.222.0 255.255.255.0 DMZ
ssh timeout 60

Still works fine from the DMZ, not from outside.

Emanuel

--
the router thought it was a printer