Port Redirection of SSH through PIX 6.3(4)

Unanswered Question
Jul 13th, 2007

Hello,

I'm trying to redirect outside port connections destined for a specific "sftp" server by accepting port 22 connections destined for the sftp server and redirecting to port 2222 on the sftp server through the PIX.

static (inside,outside) tcp interface ssh sftp.server.ip 2222 netmask 255.255.255.255 0 0

I've read a number of articles which seem to indicate that it's certainly possible to do this:

static (inside,outside) tcp interface 2222 sftp.server.ip 22 netmask 255.255.255.255 0 0

But we still want to be able to use the ssh port on the sftp server for admin access and port 2222 for the sftp server.

Is there a way to do this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Fri, 07/13/2007 - 09:43

Not sure I completely understand you question but it sounds like you want your sftp service to listen on port 2222. This would leave port 22 available for ssh.

blindquist Fri, 07/13/2007 - 09:50

Yes, that's correct.

We also want folks using the sftp service to not have to specify a port other then "22" which is the default. So we really would like the PIX to do the port redirection for us if possible.

acomiskey Fri, 07/13/2007 - 09:56

What you want isn't necessarily going to work. You cannot have duplicate translations in the pix. If you create the following static to forward port 22 to 2222 for outside sftp clients...

static (inside,outside) tcp interface ssh sftp.server.ip 2222 netmask 255.255.255.255 0 0

then your outside ssh clients will not be able to hit the server on 22 as they will be redirected to 2222.

blindquist Fri, 07/13/2007 - 10:09

Thx for the quick response.

We do not allow any other SSH inbound to hosts in our DMZ. The servers in the DMZ can only be administered via SSH from our internal network via a separate set of firewalls.

Therefore this sftp server happens to be the only host that requires an SSH redirect on the PIX.

acomiskey Fri, 07/13/2007 - 10:13

OK, good. Then all you need to do is set your sftp service to listed on port 2222. Add the following static...

static (dmz,outside) tcp interface ssh sftp.server.ip 2222 netmask 255.255.255.255

This will allow sftp clients on the outside to hit the sftp service on port 22 from the outside.

SSH clients on the inside will be able to access the ssh service on port 22.

Only catch is that internal sftp clients will need to use port 2222 for the sftp service, if needed.

Hope that works for you. Please rate helpful posts.

blindquist Fri, 07/13/2007 - 11:00

We did attempt to implement the very static you suggested:

static (dmz,outside) tcp interface ssh sftp.server.ip 2222 netmask 255.255.255.255 0 0

However, we were never able to get through the PIX, nor did the PIX even log connection attempts. We even tried adding an access list access-list red_in line 36 permit tcp any host sftp.server.ip eq 22

Which begs the question of whether the PIX treats ssh differently on the "outside" interface? Is there some other parameter / command needed to accept ssh connections for redirection from the outside interface of the PIX?

acomiskey Fri, 07/13/2007 - 11:09

Looks like you had your acl wrong. It needs to reference the destination by the outside address, the interface address in this case, not the servers private dmz address.

access-list red_in permit tcp any interface outside eq 22

or

access-list red_in permit tcp any host eq 22

and

access-group red_in in interface outside

That should do the trick.

blindquist Fri, 07/13/2007 - 11:54

We will update the access-list and try to get this configuration implemented again during our next change window.

Hope this works.

Thanks for your help!

blindquist Fri, 08/03/2007 - 07:54

Hello,

We did attempt to implement this change last night with the new access list you'd recommended.

access-list red_in permit tcp any interface outside eq 22

static (inside,outside) tcp interface ssh x.x.x.x 2222 netmask 255.255.255.255 0 0

When we attempted to test access to the sftp server through the PIX we got the following error.

ftp -o Port=22 [email protected]

Connecting to x.x.x.x...

ssh: connect to host x.x.x.x port 22: Connection timed out

Couldn't read packet: Connection reset by peer

Also, the PIX didn't seem to be logging the connection attempts or forwarding the requests to port 2222 on the sftp server.

Perhaps we are still missing some key access-list parameter or is there something special about the way the PIX handles port 22 traffic forwarding?

blindquist Fri, 08/03/2007 - 09:22

Are the protocol fixups enabled by default?

I assume you meant...

no fixup protocol ssh 22

for the ssh port flow.

blindquist Fri, 08/03/2007 - 10:05

I also noticed a mistake in my previous post. It should have read:

"sftp" as the command and not "ftp"

This may have been confusing.

acomiskey Fri, 08/03/2007 - 10:15

Sorry I'm at a loss. Is the sftp server in the inside or the dmz? The pix isn't logging anything?

Actions

This Discussion