SSH through a PIX to a Unix Server

Unanswered Question
Dec 19th, 2007
User Badges:

I need to setup a PIX to allow ssh traffic to a Unix server on our network. I need suggestions on how to do this. I tried an access list and I don't think port forwarding is an option with the PIX. Need help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco24x7 Wed, 12/19/2007 - 15:12
User Badges:
  • Silver, 250 points or more

static (i,o) tcp interface 22 192.168.1.10 22 netmask 255.255.255.255

access-list test permit tcp any interface eq 22 log

access-group test in interface outside


where 192.168.1.10 is the ip address of the unix server.


Easy right?


CCIE security

asmith252 Fri, 12/28/2007 - 06:10
User Badges:

Will this effect any of the other access-lists that I currently have? (I know it probably won't but I am allow voice traffic through the PIX as well so I definitely do not want thing to mess that up.) Appreciate the help.

srue Fri, 12/28/2007 - 06:25
User Badges:
  • Blue, 1500 points or more

that solution will work as long as you dont want to be able to ssh to the outside interface of your pix.


you need to add that acl entry to whatever your outside-2-inside acl is. he was just showing you an example.

asmith252 Fri, 12/28/2007 - 06:39
User Badges:

ok, after I add the acl entry to the outside-2-inside acl, will it allow ssh from outside the network? the whole reason i'm doing this is so a vendor can connect to a server on our network.

cisco24x7 Fri, 12/28/2007 - 06:45
User Badges:
  • Silver, 250 points or more

Yes, it will. As a test, you can do this:


access-list test permit tcp any interface eq 22 log

access-list test permit ip any any log

access-group test in interface outside


that will make sure you don't break anything

along the way. Once you know everything

works, you can start locking down your stuffs.


The example I gave you, it means that you will

NOT be able to ssh to the Pix itself from

the outside interface. This is one of many

things I do not like about Pix. With other

firewalls vendors such as Checkpoint or

Juniper, you can change the ssh port on the

firewall itself to something other than 22.

For example, on the checkpoint firewall,

I can change the ssh port on the checkpoint

firewall from 22 to 222 so that from the

outside, I can ssh to both the Unix and the

firewall at the same time.


Anyway, that should work for you.


CCIE security

asmith252 Fri, 12/28/2007 - 14:35
User Badges:

I entered those commands into the CLI. It didn't like the eq 22 statement so I just put in interface 22. Now, when the vendor tries to ssh into the server he gets a time out message. Also, he said he only sees port 1723 open for the Windows VPN. He has the right public IP so right now I am kind of stumped.

asmith252 Wed, 01/02/2008 - 10:45
User Badges:

I entered the acl command is as it is above and it will not accept the first line. I took out the eq 22 and just used interface 22 log and then is said that interface 22 does not exist.

cisco24x7 Wed, 01/02/2008 - 11:05
User Badges:
  • Silver, 250 points or more

ACL should be:


access-list test permit tcp any interface outside eq 222 log



Actions

This Discussion