Home > Articles > Cisco Network Technology > General Networking > Configuring the PIX Firewall for SSH (Secure Shell)

Configuring the PIX Firewall for SSH (Secure Shell)

Article Description

In October of 1995, Cisco Systems, Inc. began their first serious push into the Network Security market with the acquisition of NTI (Network Translation, Inc.). NTI’s flagship PIX firewall became the Cisco Secure PIX Firewall. From 1995 until 2000, there was one feature missing that frustrated security administrators greatly: secure remote access. Although the PIX Firewall allows Telnet access to its CLI (command line interface), the PIX OS will not allow Telnet to hosts on the outside interface because of the threat of password interception. In 2000, Cisco introduced version 5.2 of the PIX OS. One of the most notable features of 5.2 was support for the new faster and more scalable PIX 525 Firewall. Another feature that received less fanfare, SSH or Secure Shell, proved to be very important to Security Administrators who were tired of driving to the office to make changes to their PIX. SSH uses either DES or 3DES to encrypt the entire session to the PIX; and as such, it was deemed safe to enable on the outside interface. David W. Chapman Jr. will demonstrate how to enable and troubleshoot SSH access to your PIX in an easy to follow step-by-step process.

Like this article? We recommend

Cisco Secure PIX Firewalls

Cisco Secure PIX Firewalls


Configuring PIX to Accept SSH Connections

Our first task is to generate an RSA public/private key pair to use to securely transfer the session key from the server to the client. The hostname and domain-name must be set before the PIX will allow you to generate the key pair.

  1. Assign a hostname and domain name to the PIX. This is required to generate the RSA key set.

    pixfirewall(config)# hostname percival 
    percival(config)# domain-name cisco.com
  2. Generate an RSA Key pair and save the keys to Flash memory.

    percival(config)# ca generate rsa key 2048
    For <key_modulus_size> >= 1024, key generation could
    take up to several minutes. Please wait..........
  3. View your newly created RSA Public Key.

    percival(config)# sh ca mypubkey rsa
    % Key pair was generated at: 15:02:39 May 28 2001
    Key name: percival.cisco.com
    Usage: General Purpose Key
    Key Data:
    30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101 
    00b0475a 85bcfce7 91e36431 16c67070 24e4eb09 1b55766c 3588ea87 ba637382 
    8e3455a5 a7f71a8f fcd93f25 2bb95484 668ae92d a2175de3 04605fd0 d84f17e4 
    70569d26 90ff55d9 3cb91b90 ca4102d5 dc3c9cd1 25692aba f5cabae7 4f066459 
    86ecae91 a6e8c032 1e15184d f12f4bf8 18828ca6 6bc61c80 08a1425a 7d767200 
    ae68098f 703a972f 59b92239 ed9ae146 ff4a7ea4 6ae2b527 0486c91a c76bd376 
    3093d024 164e6032 c327d9b9 ed7101c8 73030634 defc0848 78a51d04 6995ad8c 
    5cbdc0b1 e77091e0 283e5881 407b3639 8a90abba fa559e4b 07a769ab 19b020f4 
    ba76301a 09772faa 2920067b be4ca3c0 84e2f7f0 7985eafe 227940e4 c56aea3e 
    23020301 0001
  4. After generating the keys, you must save them to Flash. Failure to perform this step will result in the erasure of the keys at the next reload.

    percival(config)# ca save all
  5. Specify what hosts are allowed to SSH to the PIX and set the SSH inactivity timeout. In this case, you will limit SSH access to a single inside host and kill sessions after one hour of inactivity.

    percival(config)# ssh inside
    percival(config)# ssh timeout 60
  6. Set the enable password and Telnet password. You will be required to enter the Telnet password to authenticate your SSH session.

    percival(config)# enable password hArd2Gue$$
    percival(config)# passwd Ace$$D3n13d


    If you have previously configured a telnet password and enable password, you don't need to change them for SSH to work.

3. Configuring the SSH Client to Connect to the PIX | Next Section Previous Section