Port Redirection of SSH through PIX 6.3(4)

Unanswered Question
Jul 13th, 2007
User Badges:

Hello,

I'm trying to redirect outside port connections destined for a specific "sftp" server by accepting port 22 connections destined for the sftp server and redirecting to port 2222 on the sftp server through the PIX.


static (inside,outside) tcp interface ssh sftp.server.ip 2222 netmask 255.255.255.255 0 0


I've read a number of articles which seem to indicate that it's certainly possible to do this:


static (inside,outside) tcp interface 2222 sftp.server.ip 22 netmask 255.255.255.255 0 0


But we still want to be able to use the ssh port on the sftp server for admin access and port 2222 for the sftp server.


Is there a way to do this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Fri, 07/13/2007 - 09:43
User Badges:
  • Green, 3000 points or more

Not sure I completely understand you question but it sounds like you want your sftp service to listen on port 2222. This would leave port 22 available for ssh.

blindquist Fri, 07/13/2007 - 09:50
User Badges:

Yes, that's correct.


We also want folks using the sftp service to not have to specify a port other then "22" which is the default. So we really would like the PIX to do the port redirection for us if possible.

acomiskey Fri, 07/13/2007 - 09:56
User Badges:
  • Green, 3000 points or more

What you want isn't necessarily going to work. You cannot have duplicate translations in the pix. If you create the following static to forward port 22 to 2222 for outside sftp clients...


static (inside,outside) tcp interface ssh sftp.server.ip 2222 netmask 255.255.255.255 0 0


then your outside ssh clients will not be able to hit the server on 22 as they will be redirected to 2222.

blindquist Fri, 07/13/2007 - 10:09
User Badges:

Thx for the quick response.


We do not allow any other SSH inbound to hosts in our DMZ. The servers in the DMZ can only be administered via SSH from our internal network via a separate set of firewalls.


Therefore this sftp server happens to be the only host that requires an SSH redirect on the PIX.

acomiskey Fri, 07/13/2007 - 10:13
User Badges:
  • Green, 3000 points or more

OK, good. Then all you need to do is set your sftp service to listed on port 2222. Add the following static...


static (dmz,outside) tcp interface ssh sftp.server.ip 2222 netmask 255.255.255.255


This will allow sftp clients on the outside to hit the sftp service on port 22 from the outside.


SSH clients on the inside will be able to access the ssh service on port 22.


Only catch is that internal sftp clients will need to use port 2222 for the sftp service, if needed.


Hope that works for you. Please rate helpful posts.

blindquist Fri, 07/13/2007 - 11:00
User Badges:

We did attempt to implement the very static you suggested:


static (dmz,outside) tcp interface ssh sftp.server.ip 2222 netmask 255.255.255.255 0 0


However, we were never able to get through the PIX, nor did the PIX even log connection attempts. We even tried adding an access list access-list red_in line 36 permit tcp any host sftp.server.ip eq 22


Which begs the question of whether the PIX treats ssh differently on the "outside" interface? Is there some other parameter / command needed to accept ssh connections for redirection from the outside interface of the PIX?

acomiskey Fri, 07/13/2007 - 11:09
User Badges:
  • Green, 3000 points or more

Looks like you had your acl wrong. It needs to reference the destination by the outside address, the interface address in this case, not the servers private dmz address.


access-list red_in permit tcp any interface outside eq 22

or

access-list red_in permit tcp any host eq 22

and

access-group red_in in interface outside


That should do the trick.

blindquist Fri, 07/13/2007 - 11:54
User Badges:

We will update the access-list and try to get this configuration implemented again during our next change window.


Hope this works.


Thanks for your help!

acomiskey Fri, 07/13/2007 - 11:57
User Badges:
  • Green, 3000 points or more

It will. Please come back and let us know.

blindquist Fri, 08/03/2007 - 07:54
User Badges:

Hello,


We did attempt to implement this change last night with the new access list you'd recommended.


access-list red_in permit tcp any interface outside eq 22

static (inside,outside) tcp interface ssh x.x.x.x 2222 netmask 255.255.255.255 0 0


When we attempted to test access to the sftp server through the PIX we got the following error.


ftp -o Port=22 [email protected]

Connecting to x.x.x.x...

ssh: connect to host x.x.x.x port 22: Connection timed out

Couldn't read packet: Connection reset by peer


Also, the PIX didn't seem to be logging the connection attempts or forwarding the requests to port 2222 on the sftp server.


Perhaps we are still missing some key access-list parameter or is there something special about the way the PIX handles port 22 traffic forwarding?

acomiskey Fri, 08/03/2007 - 08:31
User Badges:
  • Green, 3000 points or more

Have you tried


no fixup protocol ftp 21

blindquist Fri, 08/03/2007 - 09:22
User Badges:

Are the protocol fixups enabled by default?


I assume you meant...


no fixup protocol ssh 22


for the ssh port flow.

blindquist Fri, 08/03/2007 - 10:05
User Badges:

I also noticed a mistake in my previous post. It should have read:


"sftp" as the command and not "ftp"


This may have been confusing.







acomiskey Fri, 08/03/2007 - 10:15
User Badges:
  • Green, 3000 points or more

Sorry I'm at a loss. Is the sftp server in the inside or the dmz? The pix isn't logging anything?

Actions

This Discussion