opening ports

Unanswered Question
May 2nd, 2007

I need to let a vendor have access to a network device that they installed. I added the following two lines into my PIX 515.

access-list acl_out permit tcp host vendor.ip.address host my.outside.ip.address eq ssh

static (inside,outside) tcp my.outside.ip.address ssh 192.168.50.50 ssh netmask 255.255.255.255 0 0

They cannot connect so I'm not sure if I set it up correctly. I also tried doing a port scan and the port does not list as being open. Did I do something wrong here?

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
acomiskey Wed, 05/02/2007 - 09:17

Did you apply the acl?

access-group acl_out in interface outside

acomiskey Wed, 05/02/2007 - 09:36

Is "my.outside.ip.address" the same as your outside interface of pix?

If so you should use keyword "interface" in static and acl statements.

access-list acl_out permit tcp host vendor.ip.address interface outside eq ssh

static (inside,outside) tcp interface ssh 192.168.50.50 ssh netmask 255.255.255.255 0 0

Jon Marshall Wed, 05/02/2007 - 09:40

Hi

When you say you did a port scan, was this from inside or outside the firewall ?

There does seem to be anything wrong with the config you posted so perhaps if you could post the full config (minus any sensitive information).

Other things to check

1) is the 192.168.50.0 network directly attached to the pix. If not do you have a route to that network.

2) The vendor IP address will need to be routed back out from your network. Is the default gateway on 192.168.50.50 pointing to the pix, if not do you have other routing in your network that would send the reply traffic back to the pix.

3) Can you ssh internally to this server

HTH

Jon

dexteroc1 Wed, 05/02/2007 - 09:51

Good suggestions. I will try all of these.

The port scan was from outside the firewall.

I was thinking the config was correct as well. I already did this same thing for another vendor just using a different port and it works for them. I will try to ssh to the vendor device and go from there.

Thanks guys.

Actions

This Discussion