Home > Articles > Cisco Network Technology > General Networking > Configuring the PIX Firewall for SSH (Secure Shell)

Configuring the PIX Firewall for SSH (Secure Shell)

Article Description

In October of 1995, Cisco Systems, Inc. began their first serious push into the Network Security market with the acquisition of NTI (Network Translation, Inc.). NTI’s flagship PIX firewall became the Cisco Secure PIX Firewall. From 1995 until 2000, there was one feature missing that frustrated security administrators greatly: secure remote access. Although the PIX Firewall allows Telnet access to its CLI (command line interface), the PIX OS will not allow Telnet to hosts on the outside interface because of the threat of password interception. In 2000, Cisco introduced version 5.2 of the PIX OS. One of the most notable features of 5.2 was support for the new faster and more scalable PIX 525 Firewall. Another feature that received less fanfare, SSH or Secure Shell, proved to be very important to Security Administrators who were tired of driving to the office to make changes to their PIX. SSH uses either DES or 3DES to encrypt the entire session to the PIX; and as such, it was deemed safe to enable on the outside interface. David W. Chapman Jr. will demonstrate how to enable and troubleshoot SSH access to your PIX in an easy to follow step-by-step process.

Like this article? We recommend

Cisco Secure PIX Firewalls

Cisco Secure PIX Firewalls

$35.00

Configuring the SSH Client to Connect to the PIX

Before you can connect to the PIX using SSH, you need to install a SSH client compatible with your platform. This example uses the SSH client from SSH Communications. Refer to the Cisco PIX Firewall Command Reference for the SSH command and scroll down to the section "Obtaining an SSH Client for Your Platform." For the Windows platform, I recommend using TerraTerm Pro with the SSH extension.

  1. Launch the SSH client software.

  2. Select Settings from the Edit menu in Figure 1.

    Figure 1 Opening the Settings Panel

  3. Click on the Connection item from the list under Profile Settings on the left side panel in Figure 2. In the Host Name field, enter the IP address of the PIX. Enter pix in the User Name field. Next, in the Authentication Methods pane, click on password.

    Figure 2 Setting Connection Preferences

  4. Click on the Cipher List item just below the Connection item under Profile Settings in the left side panel. Uncheck all the ciphers except the one you will be using. Once your cipher is selected, use the black Up Arrow to move your preferred cipher to the top of the list. In the example illustrated in Figure 3, the user has selected DES.

    Note

    While many SSH Clients support a wide variety of ciphers, the PIX supports DES and 3DES exclusively. You must install the appropriate activation key before using DES or 3DES. For maximum security, Cisco recommends using 3DES to secure SSH and IPSec.

    Figure 3 Cipher Selection

  5. To avoid entering this information every time you launch the SSH client, choose Save Settings from the Edit menu in Figure 4.

    Figure 4 Saving Your Preferences to a Profile

  6. Click the Quick Connect button to open the login pop-up box labeled Connect to Remote Host (see Figure 5).

    Figure 5 Opening the Login Pop-Up

  7. Because of the potential vulnerabilities with SSH version 1, this SSH client warns you with the message in Figure 6. Click the Yes button to accept this connection and continue.

  8. Figure 6 SSH Version 1 Warning

  9. If this is the first time you've connected to the PIX with SSH, you must exchange Public Keys with each other in order to encrypt the session. The SSH client prompts you to accept the PIX's Public Key. Click on the Yes button in Figure 7 to save the PIX's Public Key to the Local Database.

    Figure 7 Public Key Exchange

  10. After you save the PIX's Public Key, your SSH Client prompts you for the telnet password in Figure 8.

    Figure 8 Enter Telnet Password

  11. You did it! You have created a secure connection to your PIX. Now, you can perform any of the configuration and routine maintenance over the SSH connection (see Figure 9).

    Figure 9 SSH Secure Shell Window

4. Troubleshooting SSH Client Connection Problems | Next Section Previous Section