SSH Overview SSH is a client program that allows a user to establish a secure terminal session with a remote host that is running the SSH server (or daemon) program. Other programs, like the telnet utility that provide a terminal session capability transfer information across an IP network connection in a raw ASCII format. In this ASCII format if the data is intercepted by some person on that network (perhaps using a network sniffer) that person can read both what was entered and the telnet server response. SSH and the SSH server establish a secure connection between the computers running the SSH programs. If data is intercepted it cannot be easily read or deciphered. SSH & the Cisco PIX Firewall The PIX Firewall includes an SSH server in the operating system. The PIX does not include an SSH client, and so SSH connections cannot be originated from the PIX. Users wishing to securely manage the Firewall need to acquire and configure an SSH client program for their computer. The SSH server included in the PIX operating system is there to provide a secure management connection to the firewall. The PIX SSH server capability was not developed as a multi user SSH server for secure remote connectivity to a network. No matter which model of the PIX Firewall in use it is not recommended that more than 5 users connect to the PIX via SSH at one time. Building and maintaining multiple SSH connections to the PIX is processor intensive and will affect the performance of the Firewall. Configuring SSH on the Cisco PIX Firewall The following describes the steps necessary to configure a PIX Firewall to accept SSH connections. The Cisco PIX operating system version 6.3 on a PIX model 501 Firewall were used to to generate the commands below. This configuration has been tested on various models and software version 6.x of the PIX Firewall. In order to access the PIX via SSH the PIX must first have an accurate RSA key pair. Several PIX models ship with what is known as a plug and play configuration; where the PIX has been pre-configured sop that the outside interface retrieves an IP address from a DHCP server and the inside interface serves IP addresses to connected computers running DHCP. PIX Firewalls that come pre-configured with the plug and play configuration already have a pregenerated RSA key pair. If the device name or the network domain name in the PIX configuration has
changed you must remove the existing RSA key pair and generate new keys. In order to remove the existing RSA key pair use the PIX ca zeroize RSA command. The ca in the command is short for certificate authority and the command must be executed from the PIX configuration prompt. This command clears the existing RSA key pair from the flash memory of the PIX. ca zeroize rsa To generate a new RSA key pair for the PIX use the ca generate RSA key <keysize> command. ca generate rsa key 512 Keypair generation process begin..success. It takes a few moments for the PIX to generate the RSA key pair. The wait depends on the PIX model and selected key size. The larger the key, the longer it takes to generate. RSA key size can range from 512 to 2048 bits. For more information about RSA key sizes see: http://www.rsasecurity.com/rsalabs/faq/3-1-5.html. To view the PIX RSA key pair use the show ca mypubkey rsa command. fw501# show ca mypubkey rsa % Key pair was generated at: 12:39:14 UTC May 17 2003 Key name: fw501.cisco.com Usage: General Purpose Key Key Data: 305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00c41d33 4b9e943a 3b23d2e5 b6f2dd54 3b57b9bf abef8a85 022de3bc 4c462630 442e331e e6e05d88 cf6ea5a0 4d09252a 39566bdc 96cd970e f2051ea2 6ca393dd 1f020301 0001
After the RSA key pair has been successfully generated it needs to be written to the PIX flash memory system. Note that the ca save all command used must be executed from configuration mode prompt. ca save all Again, the time it takes this command to complete the key save depends on the model of PIX Firewall and the size of the key pair that was generated. The next step in configuring SSH access to the PIX Firewall is to identify hosts that will be allowed to connect, and the interface that SSH connections will be accepted on. ssh 192.168.1.1 255.255.255.0 inside Note: The PIX v6.3 documentation states that if you do not use the default mask (255.255.255.255) that you need to use the keyword "netmask". Using PIX OS v6.3 I found this key word was not needed. In the example above SSH was configured for use on the inside or trusted interface of the PIX Firewall. SSH can be configured on any PIX Firewall interface. It is important that the network address and mask that is used in this command are accurate. In the example above an SSH connection will be accepted from any host (1-254) on the 192.168.1.x network. You could change this to any IP address by changing the mask to 0.0.0.0. The last step in configuring the PIX for SSH access is defining the SSH idle timeout. By default this value is set to 5 minutes. ssh timeout 15 The commands entered to build this configuration are shown below. hostname fw501 domain-name cisco.com interface ethernet0 10baset interface ethernet1 100full nameif ethernet0 outside security0
nameif ethernet1 inside security100 ip address outside dhcp setroute ip address inside 192.168.1.1 255.255.255.0 global (outside) 1 interface nat (inside) 1 0 0 0 0 dhcpd address 192.168.1.2-192.168.1.33 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside ca zeroize rsa ca generate rsa key 512 Keypair generation process begin..success. ca save all ssh 192.168.1.0 255.255.255.0 inside ssh timeout 15 The following demonstrates how to connect to the PIX from a computer running OpenSSH (http://www.openssh.org), a Linux based open source implementation of the SSH client. The default username used to connect to the PIX is pix and the default password is Cisco. Using OpenSSH from the Linux command line the SSH session will default to the username of the logged in user (in my example brian ) unless you use the -l argument. [brian@brfordnix brian]$ ssh 192.168.1.1 l pix pix@192.168.1.1 s password: Warning: Remote host denied X11 forwarding Type help or? for a list of available commands fw501> fw501> en Password: ******** fw501# show ssh 192.168.1.1 255.255.255.0 inside fw501# The following is a complete listing of the Cisco PIX Firewall configuration (write
terminal from the PIX CLI). Building configuration... : Saved : PIX Version 6.3(1) interface ethernet0 10baset interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xxxxxxxxxxxxx encrypted passwd xxxxxxxxxxx encrypted hostname fw501 domain-name ohbrian.net fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names pager lines 24 logging on mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh timeout 15 console timeout 0 dhcpd address 192.168.1.2-192.168.1.33 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:0350x0dbf94x0106f05x53615ccc371a : end [OK] Brian Ford can be reached via Email at ohbrian@optonline.net PIX and PIX Firewall are trademarks belonging to Cisco Systems, Inc. see http://www.cisco.com/go/pix for further information. This work is licensed under the Creative Commons Attribution-NonCommercial- ShareAlike 2.5 License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.