12-19-2007 01:55 PM - edited 03-12-2019 05:52 PM
I need to setup a PIX to allow ssh traffic to a Unix server on our network. I need suggestions on how to do this. I tried an access list and I don't think port forwarding is an option with the PIX. Need help.
12-19-2007 03:12 PM
static (i,o) tcp interface 22 192.168.1.10 22 netmask 255.255.255.255
access-list test permit tcp any interface eq 22 log
access-group test in interface outside
where 192.168.1.10 is the ip address of the unix server.
Easy right?
CCIE security
12-28-2007 06:10 AM
Will this effect any of the other access-lists that I currently have? (I know it probably won't but I am allow voice traffic through the PIX as well so I definitely do not want thing to mess that up.) Appreciate the help.
12-28-2007 06:25 AM
that solution will work as long as you dont want to be able to ssh to the outside interface of your pix.
you need to add that acl entry to whatever your outside-2-inside acl is. he was just showing you an example.
12-28-2007 06:39 AM
ok, after I add the acl entry to the outside-2-inside acl, will it allow ssh from outside the network? the whole reason i'm doing this is so a vendor can connect to a server on our network.
12-28-2007 06:45 AM
Yes, it will. As a test, you can do this:
access-list test permit tcp any interface eq 22 log
access-list test permit ip any any log
access-group test in interface outside
that will make sure you don't break anything
along the way. Once you know everything
works, you can start locking down your stuffs.
The example I gave you, it means that you will
NOT be able to ssh to the Pix itself from
the outside interface. This is one of many
things I do not like about Pix. With other
firewalls vendors such as Checkpoint or
Juniper, you can change the ssh port on the
firewall itself to something other than 22.
For example, on the checkpoint firewall,
I can change the ssh port on the checkpoint
firewall from 22 to 222 so that from the
outside, I can ssh to both the Unix and the
firewall at the same time.
Anyway, that should work for you.
CCIE security
12-28-2007 02:20 PM
you can change the port forwarding to be 222--->22 to the server. just have your vendor change ports on their SSH session and keep the fw admin happy :)
12-28-2007 02:35 PM
I entered those commands into the CLI. It didn't like the eq 22 statement so I just put in interface 22. Now, when the vendor tries to ssh into the server he gets a time out message. Also, he said he only sees port 1723 open for the Windows VPN. He has the right public IP so right now I am kind of stumped.
12-28-2007 03:47 PM
What does your static look like? It should be...
static (inside,outside) tcp interface 222 192.168.1.10 22 netmask 255.255.255.255
Is your ACL open for?
...permit tcp any interface outside eq 222
01-02-2008 10:45 AM
I entered the acl command is as it is above and it will not accept the first line. I took out the eq 22 and just used interface 22 log and then is said that interface 22 does not exist.
01-02-2008 11:05 AM
ACL should be:
access-list test permit tcp any interface outside eq 222 log
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: