Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw

How do I connect to cisco pix via ssh?

by Nalina (Monk)
on Jun 07, 2004 at 05:42 UTC ( #361885=perlquestion: print w/replies, xml ) Need Help??

Nalina has asked for the wisdom of the Perl Monks concerning the following question:

Hi all,

This is my first post on PM. I am new to perl. Could any one please tell me how to login to cisco pix & execute the command sh access-list <access-list id> on it using perl.   I could manually establish ssh connection to it using the s/w 'putty' & could execute commands on it.

How do i do it with perl?   I am trying to login from a windows 2000 machine. Can I use ssh on a windows 2000 system?   I tried Net::SSH::Perl module, but it didn't work on windows system. Is there any other way to do it? Please help me.

Thanks in advance

janitored by ybiC: Removed (annoying) leading "Urgent!!!!!" from node title, minor format tweaks for legibility, made link of CPAN module name thusly - [cpan://Net::SSH::Perl]

Replies are listed 'Best First'.
Re: How do I connect to cisco pix via ssh?
by tachyon (Chancellor) on Jun 07, 2004 at 06:12 UTC
How do I connect to cisco pix via ssh?
by jepri (Parson) on Jun 07, 2004 at 05:57 UTC
    You'll have to be more specific with your error messages. "it didn't work" could mean anything from "it didn't install" to "my computer caught fire".

    Assuming you get it installed, it looks like you should be able to cut and paste the example from the documentation, add the right username and password, and have it work.

    You can use ssh itself if you have cygwin installed, but I don't think that is the solution you were looking for.

    I didn't believe in evil until I dated it.


      Thanks for the reply.

      I downloaded (Net::SSH::Perl) module and tried to connect to remote cisco pix through ssh Following is my script

      use Net::SSH::Perl; $host="IP"; $username = "username"; $pass = "password"; my $ssh = Net::SSH::Perl->new("$host"); $ssh->login($username, $pass); my($stdout, $stderr, $exit) = $ssh->cmd(sh access-list access_inside_i +n); print "output: $stdout\n"; print "Error: $stderr\n"; print "status: $exit\n";
      But while installing GMP with nmake

      perl Makefile.PL


      nmake test

      I got an error saying

      'cl' is not recognized as an internal or external command, operable program or batch file. NMAKE : fatal error U1077: 'C:\WINNT\system32\cmd.exe' : return code '0x1' Stop.

      what do i do now?



      Edited by Chady -- added code tags.

        See tachyon's comment below for the right module.

        On Windows, you want to use PPM instead of CPAN. CPAN only works if you have a full C compiler environment on your system, and most windows boxes don't. If you are using ActiveState Perl (most likely), you should use PPM, there is a FAQ to help get you started.

        I didn't believe in evil until I dated it.

Re: How do I connect to cisco pix via ssh?
by Anonymous Monk on Jun 07, 2004 at 08:22 UTC

    i've had problems getting perl to ssh to a Cisco.

    it seems that Cisco's sshd is incompatible with Net::SSH::Perl. run both the module and the system ssh in verbose mode and you'll see that N:S:P opens two channels, one for a global-like session or some such, then another for each cmd that is sent. plain ssh only uses only one channel for a shell (or a command). i got far enough down in debugging to see that the first channel autenticates fine, but it seems the Cisco's sshd doesn't support more than a single channel, the second channel created for the cmd fails with some sort of 'out of resource' message.

    my current solution is to use Expect and the system ssh command (which works fine).

    i'll create a trouble ticket with Cisco for this issue once i pin it down and have some time to try again and take notes. (and make sure i'm not missing something)

    this may or may not help...

    package NE; use base 'Expect'; # from Net::Telnet::Cisco $prompt = qr/(?m:^[\w.-]+\s?(?:\(config[^\)]*\))?\s?[\$#>]\s?(?:\(enab +le\))?\s*$)/; sub cmd { my ( $exp, $cmd ) = @_; $exp->print($cmd, "\n"); $exp->expect( 10, -re => $prompt ) or return; $out = $exp->before; $match = $exp->match; $out =~ s/^$cmd\r?\n//; return $out; } sub login { my ( $exp, $user, $pass ) = @_; $exp->expect( 10, [ qr/[Pp]assword:\s*/, sub { my $exp = shift; $exp->print($pass, "\n"); exp_continue; }], [ qr/[Uu]sername:\s*/, sub { my $exp = shift; $exp->print($user, "\n"); exp_continue; }], -re => $prompt, ); } sub enable { my ( $exp, $pass ) = @_; $exp->print("enable", "\n"); $exp->login( '', $pass ); } package main; #$Expect::Debug = 1; $Expect::Log_Stdout = 0; my $exp = NE->new(); $exp->spawn(qw| /usr/bin/ssh -2 -l admin myrouter |) or die "spawn: $!\n"; $exp->login( '', "******" ); $exp->enable( "**********" ); my ( $out ); $exp->cmd( "terminal length 0" ); ( $out ) = $exp->cmd( "show running-config" ); print $out; $exp->cmd( "exit" ); $exp->soft_close(); exit;

    another possibility yet to be investigated is using Net::SSH::Perl for the connection, trying to fish out the filhandle that it creates and pass it to Net::Telnet::Cisco directly and use Net::Telnet::Cisco for the cmd handling. this will probably take some hacking as it looks like the first Net::SSH::Perl channel is opened with different parameters than the channels opened for the commands.

    another possibility might be the Web interface. i haven't played with that at all yet.

Re: How do I connect to cisco pix via ssh?
by calin (Deacon) on Jun 07, 2004 at 11:41 UTC

    The ssh implementation on the PIX is braindead. I'm having trouble with one of these beasts right now (not SSH-related). Cisco PIX 501 is such a piece of s*** that I can hardly refraing from tearing it to pieces with a sledgehammer!

    You'll have a hard time connecting even from the command line. Try that first before you start coding in Perl. First, you need to generate a RSA host key on the beast, and enable SSH inbound connections. Make sure you replace the network address and mask with yours. At the serial console:

    pixfirewall> enable Password: pixfirewall# conf t pixfirewall(config)# pixfirewall(config)# ca generate rsa key 512 Keypair generation process begin. Success. pixfirewall(config)# ssh inside pixfirewall(config)# write mem

    Then try connecting from the command line from a host matching the net address above (example using OpenSSH):

    $ ssh -1 -c 3des -l pix pix@'s password: <type 'cisco' for default> Type help or '?' for a list of available commands. pixfirewall>

    I realize this reply is slightly OT, but I feel sympathy for the creatures who have to deal with these abominations. The suffering need to help each other! :)

    Update: the OP writes:

    I could manually establish ssh connection to it using the s/w 'putty' & could execute commands on it.

    I was that mad at the beast that I didn't see that. Ignore.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://361885]
Approved by chimni
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others perusing the Monastery: (5)
As of 2023-11-28 19:49 GMT
Find Nodes?
    Voting Booth?

    No recent polls found