05-02-2007 09:13 AM - edited 03-11-2019 03:08 AM
I need to let a vendor have access to a network device that they installed. I added the following two lines into my PIX 515.
access-list acl_out permit tcp host vendor.ip.address host my.outside.ip.address eq ssh
static (inside,outside) tcp my.outside.ip.address ssh 192.168.50.50 ssh netmask 255.255.255.255 0 0
They cannot connect so I'm not sure if I set it up correctly. I also tried doing a port scan and the port does not list as being open. Did I do something wrong here?
Thanks.
05-02-2007 09:17 AM
Did you apply the acl?
access-group acl_out in interface outside
05-02-2007 09:30 AM
yes the access-group was applied.
05-02-2007 09:36 AM
Is "my.outside.ip.address" the same as your outside interface of pix?
If so you should use keyword "interface" in static and acl statements.
access-list acl_out permit tcp host vendor.ip.address interface outside eq ssh
static (inside,outside) tcp interface ssh 192.168.50.50 ssh netmask 255.255.255.255 0 0
05-02-2007 09:40 AM
Hi
When you say you did a port scan, was this from inside or outside the firewall ?
There does seem to be anything wrong with the config you posted so perhaps if you could post the full config (minus any sensitive information).
Other things to check
1) is the 192.168.50.0 network directly attached to the pix. If not do you have a route to that network.
2) The vendor IP address will need to be routed back out from your network. Is the default gateway on 192.168.50.50 pointing to the pix, if not do you have other routing in your network that would send the reply traffic back to the pix.
3) Can you ssh internally to this server
HTH
Jon
05-02-2007 09:51 AM
Good suggestions. I will try all of these.
The port scan was from outside the firewall.
I was thinking the config was correct as well. I already did this same thing for another vendor just using a different port and it works for them. I will try to ssh to the vendor device and go from there.
Thanks guys.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: