SSH through a PIX to a Unix Server

asmith252 · ‎12-19-2007

I need to setup a PIX to allow ssh traffic to a Unix server on our network. I need suggestions on how to do this. I tried an access list and I don't think port forwarding is an option with the PIX. Need help.

cisco24x7 · ‎12-19-2007

static (i,o) tcp interface 22 192.168.1.10 22 netmask 255.255.255.255

access-list test permit tcp any interface eq 22 log

access-group test in interface outside

where 192.168.1.10 is the ip address of the unix server.

Easy right?

CCIE security

asmith252 · ‎12-28-2007

Will this effect any of the other access-lists that I currently have? (I know it probably won't but I am allow voice traffic through the PIX as well so I definitely do not want thing to mess that up.) Appreciate the help.

srue · ‎12-28-2007

that solution will work as long as you dont want to be able to ssh to the outside interface of your pix.

you need to add that acl entry to whatever your outside-2-inside acl is. he was just showing you an example.

asmith252 · ‎12-28-2007

ok, after I add the acl entry to the outside-2-inside acl, will it allow ssh from outside the network? the whole reason i'm doing this is so a vendor can connect to a server on our network.

cisco24x7 · ‎12-28-2007

Yes, it will. As a test, you can do this:

access-list test permit tcp any interface eq 22 log

access-list test permit ip any any log

access-group test in interface outside

that will make sure you don't break anything

along the way. Once you know everything

works, you can start locking down your stuffs.

The example I gave you, it means that you will

NOT be able to ssh to the Pix itself from

the outside interface. This is one of many

things I do not like about Pix. With other

firewalls vendors such as Checkpoint or

Juniper, you can change the ssh port on the

firewall itself to something other than 22.

For example, on the checkpoint firewall,

I can change the ssh port on the checkpoint

firewall from 22 to 222 so that from the

outside, I can ssh to both the Unix and the

firewall at the same time.

Anyway, that should work for you.

CCIE security

palomoj · ‎12-28-2007

you can change the port forwarding to be 222--->22 to the server. just have your vendor change ports on their SSH session and keep the fw admin happy :)

asmith252 · ‎12-28-2007

I entered those commands into the CLI. It didn't like the eq 22 statement so I just put in interface 22. Now, when the vendor tries to ssh into the server he gets a time out message. Also, he said he only sees port 1723 open for the Windows VPN. He has the right public IP so right now I am kind of stumped.

palomoj · ‎12-28-2007

What does your static look like? It should be...

static (inside,outside) tcp interface 222 192.168.1.10 22 netmask 255.255.255.255

Is your ACL open for?

...permit tcp any interface outside eq 222

asmith252 · ‎01-02-2008

I entered the acl command is as it is above and it will not accept the first line. I took out the eq 22 and just used interface 22 log and then is said that interface 22 does not exist.

cisco24x7 · ‎01-02-2008

ACL should be:

access-list test permit tcp any interface outside eq 222 log