As I’m working on a project related to our new network infrastructure, I’ll post some of the stuff I’m doing here so the next few post will likely be all related to Cisco, security, VPN and other things like that.

Here I’ll just quickly show how to configure ssh on a Cisco PIX. If you need to configure a switch or a router, you first have to make sure that your IOS support it, but then, the config will be slightly different.

pix(config)#hostname pix
pix(config)#domain-name mydomain.co.uk
pix(config)#passwd securePassword
pix(config)#ca gen rsa key 2048
pix(config)#ssh 10.20.128.128 255.255.255.255 inside
pix(config)#ssh timeout 60
pix(config)#ca save all

The 3 fist lines are not specific to an SSH configuration, you probably already have that configured as its usually one of the fist things you change!

The ca gen will generate the key, you can choose something smaller that 2048 but is the standard now (and also the maximum on a PIX)

The line after that is a specific access list that say only 10.20.128.128 can establish an SSH connection from the inside interface. Should you want to get your PIX accessible from everywhere (which is a bit silly but good for testing), here is what you need:

pix(config)#ssh 0.0.0.0 0.0.0.0 outside

Just to clarify one little thing, if you arrive from a site-to-site VPN connection, you’ll hit the inside connection… so if your remote network is say 10.21.0.0 255.255.255.0 and you want to SSH your PIX from there, you should have something like that:

pix(config)#ssh 10.21.0.0 255.255.255.0 inside

As this is a SSH connection, you need to provide a login and a password. The default login is “pix”

so from a linux client you would do

ssh pix@ip_addr_pix

if you want to add some more user, you have to proceed that way:

! add user
user name password *x!7&@a4
!
pix(config)#aaa authentication ssh console LOCAL

Of course you can also authenticate your ssh session against a TACACS or a Radius server but aaa authentication is not covered here