enabling ssh to certain computer

Answered Question
Jul 10th, 2007
User Badges:

I have few computers behind PIX 501. Few of them has no access to internet (access-list inside line 1 deny ip host 192.168.1.10 etc) and others have full access. Now I want to give some of those denied computers an SSH access to outside. I have tried

access-list inside line 6 permit tcp host 192.168.1.10 eq ssh any eq ssh

, but SSH-client says Connection Refused. Do I need some other access-rules or is the problem somewhere else?

Correct Answer by acomiskey about 9 years 10 months ago

You need to have the permit line before the deny line.


access-list inside permit tcp host 192.168.1.10 any eq ssh

access-list inside deny ip host 192.168.1.10 any


Please rate helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
dominic.caron Tue, 07/10/2007 - 03:43
User Badges:
  • Silver, 250 points or more

Hi


Source port may not be 22, depends on the client coding. Change your ACL line to:


access-list inside line 6 permit tcp host 192.168.1.10 any eq ssh

jamesi123 Tue, 07/10/2007 - 05:28
User Badges:

That change didn't seem to work. It seems that outbound connection works, but inbound doesnt. access-list inside line 1 deny ip host 192.168.1.10 gets hits when i try to SSH out from the computer.

Correct Answer
acomiskey Tue, 07/10/2007 - 05:29
User Badges:
  • Green, 3000 points or more

You need to have the permit line before the deny line.


access-list inside permit tcp host 192.168.1.10 any eq ssh

access-list inside deny ip host 192.168.1.10 any


Please rate helpful posts.

Actions

This Discussion