# Few Pix Firewall Questions



## ankush (Apr 21, 2006)

hey friends,

I am using Cisco Pix 501 Firewall in my company. I have few questions regarding firewall


a) I have enable ssh on pix from one of the host in the LAN.But when I tried to login with Putty into the Pix Firewall I got this message

" The first cipher supported by the server is single-DES, which is below the configured warning threshold. Do you want to continue the operation".

We had purchased 50-user license from Cisco few months ago.
How do I change the first cipher from DES to 3DES?

b) I want to block messengers like Yahoo,MSN,Google Talk etc on Pix for few pcs that means the traffic for these messengers should not be allowed to pass from pix firewall for some hosts.

I don't want to block the messengers for all the pcs but for some pcs only.

Please let me know if you need any further inputs.

Thanks & Regards

Ankush Grover
[email protected]


----------



## aaronm (Apr 20, 2006)

*Re:*

What kind of crypto key did you generate to allow SSH? Is your transport input on the vty lines set to SSH? What OS are you using in your PIX? Finally, what program are you using to connect to the firewall?

As far as the access-list blocking IM to hosts, thats easy. With a little research on the web or monitoring their traffic, you can find the IP'S of the IM servers. You can put them in a object-group and block traffic to specific hosts. Additionally, once the servers are in a object-group, when a new one pops up, you can easily add it to the list and automatically block the hosts from reaching it.


----------



## ankush (Apr 21, 2006)

I am using Pix-501

Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.0(2)
Inside Hosts: 50
IKE peers: 5

The program through which I am ssh into the Pix Firewall is "Putty"
and also I tried to ssh from one of the Linux PCs and I got this error
" Selected Cipher type <unknows> not supported by the server."

I used "ca generate rsa key 2048" and then I issued this command "
ca save all"


How do I enable strong cipher or the cipher which is supported by the linux clients ?

Thanks & Regards

Ankush Grover


----------

