cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
545
Views
8
Helpful
5
Replies

opening ports

dexteroc1
Level 1
Level 1

I need to let a vendor have access to a network device that they installed. I added the following two lines into my PIX 515.

access-list acl_out permit tcp host vendor.ip.address host my.outside.ip.address eq ssh

static (inside,outside) tcp my.outside.ip.address ssh 192.168.50.50 ssh netmask 255.255.255.255 0 0

They cannot connect so I'm not sure if I set it up correctly. I also tried doing a port scan and the port does not list as being open. Did I do something wrong here?

Thanks.

5 Replies 5

acomiskey
Level 10
Level 10

Did you apply the acl?

access-group acl_out in interface outside

yes the access-group was applied.

Is "my.outside.ip.address" the same as your outside interface of pix?

If so you should use keyword "interface" in static and acl statements.

access-list acl_out permit tcp host vendor.ip.address interface outside eq ssh

static (inside,outside) tcp interface ssh 192.168.50.50 ssh netmask 255.255.255.255 0 0

Jon Marshall
Hall of Fame
Hall of Fame

Hi

When you say you did a port scan, was this from inside or outside the firewall ?

There does seem to be anything wrong with the config you posted so perhaps if you could post the full config (minus any sensitive information).

Other things to check

1) is the 192.168.50.0 network directly attached to the pix. If not do you have a route to that network.

2) The vendor IP address will need to be routed back out from your network. Is the default gateway on 192.168.50.50 pointing to the pix, if not do you have other routing in your network that would send the reply traffic back to the pix.

3) Can you ssh internally to this server

HTH

Jon

Good suggestions. I will try all of these.

The port scan was from outside the firewall.

I was thinking the config was correct as well. I already did this same thing for another vendor just using a different port and it works for them. I will try to ssh to the vendor device and go from there.

Thanks guys.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: