opening ports

Unanswered Question
May 2nd, 2007
User Badges:

I need to let a vendor have access to a network device that they installed. I added the following two lines into my PIX 515.

access-list acl_out permit tcp host vendor.ip.address host my.outside.ip.address eq ssh

static (inside,outside) tcp my.outside.ip.address ssh ssh netmask 0 0

They cannot connect so I'm not sure if I set it up correctly. I also tried doing a port scan and the port does not list as being open. Did I do something wrong here?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
acomiskey Wed, 05/02/2007 - 09:17
User Badges:
  • Green, 3000 points or more

Did you apply the acl?

access-group acl_out in interface outside

acomiskey Wed, 05/02/2007 - 09:36
User Badges:
  • Green, 3000 points or more

Is "my.outside.ip.address" the same as your outside interface of pix?

If so you should use keyword "interface" in static and acl statements.

access-list acl_out permit tcp host vendor.ip.address interface outside eq ssh

static (inside,outside) tcp interface ssh ssh netmask 0 0

Jon Marshall Wed, 05/02/2007 - 09:40
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


When you say you did a port scan, was this from inside or outside the firewall ?

There does seem to be anything wrong with the config you posted so perhaps if you could post the full config (minus any sensitive information).

Other things to check

1) is the network directly attached to the pix. If not do you have a route to that network.

2) The vendor IP address will need to be routed back out from your network. Is the default gateway on pointing to the pix, if not do you have other routing in your network that would send the reply traffic back to the pix.

3) Can you ssh internally to this server



dexteroc1 Wed, 05/02/2007 - 09:51
User Badges:

Good suggestions. I will try all of these.

The port scan was from outside the firewall.

I was thinking the config was correct as well. I already did this same thing for another vendor just using a different port and it works for them. I will try to ssh to the vendor device and go from there.

Thanks guys.


This Discussion