PIX 515E issue

Unanswered Question
Feb 18th, 2010
User Badges:

Hi


Currently in our network we are using PIX 515E in that


we have done all NAT access from outside to inside for all web access for example:


static (inside,outside) tcp 1.1.1.1 23 X.X.X.X 23 -- is this PAT is applied to both inbound and outbound

static (inside,outside) tcp 2.2.2.2 22 Y.Y.Y.Y 22 -- is this PAT is applied to both inbound and outbound


access-list NAT permit ip any host 1.1.1.1 eq 23 - inbound acl to access telnet service to inside host

access-list NAT permit ip any eq 23 host 2.2.2.2 eq 23 - outboung acl to access SSH service to outside public IP

access-group NAT in interface outside


now our issue is we are ablet to access the telnet service from outside world to inside host but we are unable to access the SSH to outside world from the inside host


can anyone help me resolve this , we doubt it may be IOS issue


our current IOS is PIX723.bin and can i know which IOS is best for PIX


thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jerry Ye Thu, 02/18/2010 - 08:09
User Badges:
  • Cisco Employee,

Check your ACL


access-list NAT permit ip any eq 23 host 2.2.2.2 eq 23


SSH is port 22, and the source port (client) will not be 22, it is a random high port.


HTH,

jerry

vinoth.kumar Thu, 02/18/2010 - 08:46
User Badges:

thanks for the reply


sorry its port 22 only i mistakently written


access-list NAT permit ip any eq 22 host 2.2.2.2 eq 22


still its not working

Jerry Ye Thu, 02/18/2010 - 08:50
User Badges:
  • Cisco Employee,

I am assuming the SSH server is inside the FW. If that is true, you rule shoud look like


access-list NAT permit tcp any host 2.2.2.2 eq 22


HTH,

jerry

vinoth.kumar Thu, 02/18/2010 - 09:13
User Badges:

basically we need to put single PAT entry and allow access to both inbound

and outbound direction


can u help me how to achieve this


static (inside,outside) tcp publicip 22 LANIP 22


now we need to access from outside world to LANIP thorugh port 22 and also


we need port 22 should be access to outside word from LANIP server


when we trying from LAN server to outside world we are getting the log like

this which is unsuccesfull:



%PIX-7-609001: Built local-host outside:PUBLICIP

%PIX-6-302013: Built outbound TCP connection 1273 for outside:PUBLICIP/22 (

PUBLICIP/22) to inside:LANIP/55185 (LANIP/55185)

%PIX-6-302014: Teardown TCP connection 1335 for outside:PUBLICIP/22 to

inside:LANIP/55208 duration 0:00:30 bytes 0 SYN Timeout

Jerry Ye Thu, 02/18/2010 - 09:39
User Badges:
  • Cisco Employee,

You can't do 2 things with one single statement. What you are looking for is really PBR and NAT.


Where you will NAT your incoming connection to 2.2.2.2 for destination port 22.


PBR is for your out bound connection sourced from 2.2.2.2 to x where its destination port is 22.


Regards,

jerry

Actions

This Discussion