Telnet/SSH Access through PIX to 2509

[Packet7]

Anyone want to help a PIX newbie? I have read a few posts, but I am still missing how to enable external access to my home lab (2509) via my PIX. My config is below, and I am running DHCP on the outside (cable modem). E0 on the 2509 is 192.168.1.101 and is running reverse telnet via async 1-8. Corrections, suggestions, mistakes? All welcome... Thanks!

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password REMOVED encrypted
passwd REMOVED encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit icmp any any
access-list telnet permit tcp any any eq telnet
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface telnet 192.168.1.101 telnet netmask 255.255.255.255 0 0
route inside 172.16.0.0 255.255.0.0 192.168.1.101 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media
0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:41331281e4da7593a854fcb49d354f46
: end

Rgds,

John Judge

 

[dopehead]

First off, don't call your access list anything relating so a specific port/access right like "telnet". Since you can only apply one acl in one direction, it will look weird in the config. Just a basic thought.

Also apply the acl you have created by doing &quot;access-group <acl_name> in interface outside&quot;

Then it will work. But you should consolidate those two acls into the same acl.

Old :
access-list 101 permit icmp any any
access-list telnet permit tcp any any eq telnet

New :
access-list acl_outside permit icmp any any
access-list acl_outside permit tcp any any eq telnet

Also there are some security issues in those two lines, but that we can talk about when you get it working

Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[Packet7]

Hey Dope,
Thanks for the help! It worked, and I now understand it. Now, can we address the security end of it? What are your thoughts.
Thank you.

Rgds,

John Judge

 

[dopehead]

Well, my thoughts are that with an acl stating that &quot;anyone&quot; can access your 2500 you have an issue there, you should at least do an acl that specifies which addresses can access your 2500.

Also i would advise you to use SSH on the 2500 instead of just regular telnet. If this is not an option i would advise you to create a vpn client server on the pix for terminating vpn. That way you can have authentication/encryption of your users trying to gain access, not nearly as risky as just having an open port on the internet to your router.

Jan


Network Systems Engineer
CCNA/CQS/CCSP

 

[Packet7]

Hey Jan,

Makes sense and I like the approach. What changes would I make to the ACL? Let's say I was using an SSH connection from 204.128.200.1? Also, I don't think SSH is enabled on my 2509, how would I do that?

Thanks again!

Rgds,

John Judge

 

[Packet7]

Hey Jan,
Did a little research, and I think I need an IPSEC IOS image? I used the IOS upgrade tool, and matched my current IOS: 12.3(5). Not sure if they have IPSEC for a &quot;Remote Access Server&quot;?

Thanks.

Rgds,

John Judge

 

[dopehead]

Well, for the acl you should do this :

access-list acl_outside permit tcp host 204.128.200.1 host <ip of pix outside> eq 22

This will enable ssh from 204.128.200.1 to the ip address of the pix, so you should change your static as well.

From :
static (inside,outside) tcp interface telnet 192.168.1.101 telnet netmask 255.255.255.255 0 0

To :
static (inside,outside) tcp interface 22 192.168.1.101 22 netmask 255.255.255.255 0 0

Also you could change the last two parameters which indicate how many active sessions and embryonic (half-open) sessions there can be towards that static translation at a time. No need to have 100's allowed at the same time as i see it.

As for SSH on your router, yes you would probably need an ios upgrade, if you paste a &quot;show version&quot; here i can find out for you.





Network Systems Engineer
CCNA/CQS/CCSP

 

[dopehead]

Just checked CCO, you should not need to upgrade, ssh has been available on ios for quite some time, SSHv2 is just mplemented in 12.3, probably what you found, this would be desirable, but if you can't find the memory or flash for a new ios, just use the old SSHv1 for the job.

CCO States :

Note SSH is supported on DES (56-bit) and 3DES (168-bit) data encryption software images only. In DES software images, DES is the only encryption algorithm available. In 3DES software images, both DES and 3DES encryption algorithms are available.

So yes you need a new featureset with des or 3des support for it to work.

As for config examples, just do a search for &quot;SSH on ios&quot; on the

http://www.cisco.com

frontpage.

Jan

Network Systems Engineer
CCNA/CQS/CCSP