SSH Overview
SSH is a client program that allows a user to establish a secure terminal session with a remote host that is running the SSH server (or daemon) program. Other programs, like the telnet utility that provide a terminal session capability transfer information across an IP network connection in a raw ASCII format. In this ASCII format if the data is intercepted by some person on that network (perhaps using a network sniffer) that person can read both what was entered and the telnet server response. SSH and the SSH server establish a secure connection between the computers running the SSH programs. If data is intercepted it cannot be easily read or deciphered.
SSH & the Cisco PIX Firewall
The PIX Firewall includes an SSH server in the operating system. The PIX does not include an SSH client, and so SSH connections cannot be originated from the PIX. Users wishing to securely manage the Firewall need to acquire and
configure an SSH client program for their computer. The SSH server included in the PIX operating system is there to provide a secure management connection to the firewall.
The PIX SSH server capability was not developed as a multi user SSH server for secure remote connectivity to a network. No matter which model of the PIX Firewall in use it is not recommended that more than 5 users connect to the PIX via SSH at one time. Building and maintaining multiple SSH connections to the PIX is processor intensive and will affect the performance of the Firewall.
Configuring SSH on the Cisco PIX Firewall
The following describes the steps necessary to configure a PIX Firewall to accept SSH connections. The Cisco PIX operating system version 6.3 on a PIX model 501 Firewall were used to to generate the commands below. This configuration has been tested on various models and software version 6.x of the PIX Firewall. In order to access the PIX via SSH the PIX must first have an accurate RSA key pair. Several PIX models ship with what is known as a plug and play
configuration; where the PIX has been pre-configured sop that the outside interface retrieves an IP address from a DHCP server and the inside interface serves IP addresses to connected computers running DHCP. PIX Firewalls that come configured with the plug and play configuration already have a pre-generated RSA key pair.
changed you must remove the existing RSA key pair and generate new keys. In order to remove the existing RSA key pair use the PIX “ca zeroize RSA”
command. The “ca” in the command is short for “certificate authority” and the command must be executed from the PIX configuration prompt. This command clears the existing RSA key pair from the flash memory of the PIX.
fw501(config)# ca zeroize rsa
To generate a new RSA key pair for the PIX use the “ca generate RSA key <key-size>” command.
fw501(config)# ca generate rsa key 512 Keypair generation process begin. .Success.
fw501(config)#
It takes a few moments for the PIX to generate the RSA key pair. The wait depends on the PIX model and selected key size. The larger the key, the longer it takes to generate. RSA key size can range from 512 to 2048 bits. For more information about RSA key sizes see:
http://www.rsasecurity.com/rsalabs/faq/3-1-5.html.
To view the PIX RSA key pair use the “show ca mypubkey rsa” command. fw501# show ca mypubkey rsa
% Key pair was generated at: 12:39:14 UTC May 17 2003 Key name: fw501.cisco.com
Usage: General Purpose Key Key Data:
305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00c41d33 4b9e943a
3b23d2e5 b6f2dd54 3b57b9bf abef8a85 022de3bc 4c462630 442e331e e6e05d88
After the RSA key pair has been successfully generated it needs to be written to the PIX flash memory system. Note that the “ca save all” command used must be executed from configuration mode prompt.
fw501(config)# ca save all
fw501(config)#
Again, the time it takes this command to complete the key save depends on the model of PIX Firewall and the size of the key pair that was generated.
The next step in configuring SSH access to the PIX Firewall is to identify hosts that will be allowed to connect, and the interface that SSH connections will be accepted on.
fw501(config)# ssh 192.168.1.1 255.255.255.0 inside
Note: The PIX v6.3 documentation states that if you do not use the default mask (255.255.255.255) that you need to use the keyword "netmask". Using PIX OS v6.3 I found this key word was not needed.
In the example above SSH was configured for use on the inside or trusted interface of the PIX Firewall. SSH can be configured on any PIX Firewall interface. It is important that the network address and mask that is used in this command are accurate. In the example above an SSH connection will be accepted from any host (1-254) on the 192.168.1.x network. You could change this to any IP address by changing the mask to 0.0.0.0.
The last step in configuring the PIX for SSH access is defining the SSH idle timeout. By default this value is set to 5 minutes.
fw501(config)# ssh timeout 15
The commands entered to build this configuration are shown below. fw501(config)#
fw501(config)#hostname fw501
fw501(config)#domain-name cisco.com fw501(config)#interface ethernet0 10baset fw501(config)#interface ethernet1 100full
fw501(config)#nameif ethernet1 inside security100 fw501(config)#ip address outside dhcp setroute
fw501(config)#ip address inside 192.168.1.1 255.255.255.0 fw501(config)#global (outside) 1 interface
fw501(config)#nat (inside) 1 0 0 0 0
fw501(config)#dhcpd address 192.168.1.2-192.168.1.33 inside fw501(config)#dhcpd lease 3600
fw501(config)#dhcpd ping_timeout 750 fw501(config)#dhcpd auto_config outside fw501(config)#dhcpd enable inside fw501(config)#ca zeroize rsa
fw501(config)#ca generate rsa key 512 Keypair generation process begin. .Success.
fw501(config)#
fw501(config)#ca save all
fw501(config)#ssh 192.168.1.0 255.255.255.0 inside fw501(config)#ssh timeout 15
fw501(config)#
The following demonstrates how to connect to the PIX from a computer running OpenSSH (http://www.openssh.org), a Linux based open source implementation of the SSH client. The default username used to connect to the PIX is “pix” and the default password is “Cisco”. Using OpenSSH from the Linux command line the SSH session will default to the username of the logged in user (in my example “brian”) unless you use the “-l” argument.
[brian@brfordnix brian]$ ssh 192.168.1.1 –l pix
[email protected]’s password:
Warning: Remote host denied X11 forwarding Type help or ‘?’ for a list of available commands fw501> fw501> en Password: ******** fw501# show ssh 192.168.1.1 255.255.255.0 inside fw501#
terminal from the PIX CLI). Building configuration... : Saved
:
PIX Version 6.3(1)
interface ethernet0 10baset interface ethernet1 100full
nameif ethernet0 outside security0 nameif ethernet1 inside security100
enable password xxxxxxxxxxxxx encrypted passwd xxxxxxxxxxx encrypted
hostname fw501
domain-name ohbrian.net fixup protocol ftp 21
fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80
fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names
pager lines 24 logging on
mtu outside 1500 mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm
ip audit attack action alarm pdm logging informational 100 pdm history enable
arp timeout 14400
global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 timeout xlate 0:05:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable
http 192.168.1.0 255.255.255.0 inside no snmp-server location
no snmp-server contact
snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh timeout 15 console timeout 0 dhcpd address 192.168.1.2-192.168.1.33 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:0350x0dbf94x0106f05x53615ccc371a : end [OK]
Brian Ford can be reached via Email at [email protected]
“PIX” and “PIX Firewall” are trademarks belonging to Cisco Systems, Inc. see http://www.cisco.com/go/pix for further information.
This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 2.5 License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc-sa/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
