Cisco

Post Reply
camelot
Site Admin
Posts: 99
Joined: Thu 17 Jul, 2008 18:41
Contact:

Cisco

Post by camelot »

To configure a Cisco PIX Firewall to support SSH, enter the following commands:

Code: Select all

hostname myfirewall
domain-name mydomain.mytld
ca gen rsa key 1024
ssh 172.18.124.114 255.255.255.255 inside
ssh timeout 60
passwd YourPasswordGoesHere
ca save all
This configuration allows ssh from the 172.18.124.114 address on the inside interface. Change this address to something that makes sense for your network. If desired, you can use this line to allow access from any address on the outside interface:

Code: Select all

ssh 0.0.0.0 0.0.0.0 outside
The “ca save all” is important. This command saves the rsa keys.

How do I connect? First, get an SSH client. PuttY isa popular one for Microsoft Windows, and SSH clients are packaged with most Linux distributions.

For Linux, the command line (for a pix at IP address 1.1.1.1) is:

Code: Select all

ssh -1 -c des pix@1.1.1.1

For Solaris (from Cisco’s website):

Code: Select all

./ssh -c 3des -1 pix -v 
camelot
Site Admin
Posts: 99
Joined: Thu 17 Jul, 2008 18:41
Contact:

Router Security Template Configuration

Post by camelot »

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Router Security Template Configuration !
! Comment: ers@ers.msk.ru 26.11.2001 !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

service password-encryption
no service udp-small-servers
no service tcp-small-servers

aaa new-model
aaa authentication banner ^C
This is private device.
All unauthorized access prohibited by law.
^C
aaa authentication username-prompt Login:
aaa authentication password-prompt Password:

no ip finger
no ip http server
no ip bootp server

snmp-server community public RO 2
snmp-server community private RW 3
snmp-server enable traps all
snmp-server host 1.1.1.1 public

access-list 2 permit host 2.2.2.2
access-list 3 permit host 3.3.3.3 log
access-list 4 permit host 4.4.4.4 log

!!!!!!!!!!!!!!!!!!!!
! If we use TACACS !
!!!!!!!!!!!!!!!!!!!!
aaa authentication login default local group tacacs+ none
aaa authorization exec default group tacacs+ none
tacacs-server host 5.5.5.5
tacacs-server key TACACSecretKey

!!!!!!!!!!!!!!!!!!!!
! If we use RADIUS !
!!!!!!!!!!!!!!!!!!!!
aaa authentication login default local group radius none
aaa authorization exec default group radius none
radius-server host 6.6.6.6
radius-server key RADIUSecretKey


logging buffered 4096
logging 7.7.7.7

line vty 0 4
access-class 4 in

!!!!!!!!!!!!!!!!!!!!!
! On each interface !
!!!!!!!!!!!!!!!!!!!!!
no ip directed-broadcast
no ip redirects
no ip unreachebles
no ip proxy-arp
no ip mroute-cache
no ip source-route
ntp disable

!!!!!!!!!!!!!!!!!
! Anti-spoffing !
!!!!!!!!!!!!!!!!!
ip cef
ip verify unicast rpf

!!!!!!!!!!!!!!!!!!!!!!!
! If we don't use CDP !
!!!!!!!!!!!!!!!!!!!!!!!
no cdp running
! If run and we don't want use on
! this interface
no cdp enable

!!!!!!!!!!!!!!!!!
! If we use RIP !
!!!!!!!!!!!!!!!!!
key chain RIPChain
key 1
key-string RIPKey
interface x0

ip rip authentication key-chain RIPChain
ip rip authentication mode md5

!!!!!!!!!!!!!!!!!!
! If we use OSPF !
!!!!!!!!!!!!!!!!!!
interface x0
ip ospf message-digest-key 1 md5 OSPFKey
router ospf 100
area 0 authentication message-digest
log-adjacency-changes

!!!!!!!!!!!!!!!!!
! If we use BGP !
!!!!!!!!!!!!!!!!!
router bgp 100
bgp log-neighbor-changes
neighbor 8.8.8.8 password HashedMD5Password


(c)
Post Reply