PIX 515E issue

Unanswered Question
Feb 18th, 2010
User Badges:


Currently in our network we are using PIX 515E in that

we have done all NAT access from outside to inside for all web access for example:

static (inside,outside) tcp 23 X.X.X.X 23 -- is this PAT is applied to both inbound and outbound

static (inside,outside) tcp 22 Y.Y.Y.Y 22 -- is this PAT is applied to both inbound and outbound

access-list NAT permit ip any host eq 23 - inbound acl to access telnet service to inside host

access-list NAT permit ip any eq 23 host eq 23 - outboung acl to access SSH service to outside public IP

access-group NAT in interface outside

now our issue is we are ablet to access the telnet service from outside world to inside host but we are unable to access the SSH to outside world from the inside host

can anyone help me resolve this , we doubt it may be IOS issue

our current IOS is PIX723.bin and can i know which IOS is best for PIX


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jerry Ye Thu, 02/18/2010 - 08:09
User Badges:
  • Cisco Employee,

Check your ACL

access-list NAT permit ip any eq 23 host eq 23

SSH is port 22, and the source port (client) will not be 22, it is a random high port.



vinoth.kumar Thu, 02/18/2010 - 08:46
User Badges:

thanks for the reply

sorry its port 22 only i mistakently written

access-list NAT permit ip any eq 22 host eq 22

still its not working

Jerry Ye Thu, 02/18/2010 - 08:50
User Badges:
  • Cisco Employee,

I am assuming the SSH server is inside the FW. If that is true, you rule shoud look like

access-list NAT permit tcp any host eq 22



vinoth.kumar Thu, 02/18/2010 - 09:13
User Badges:

basically we need to put single PAT entry and allow access to both inbound

and outbound direction

can u help me how to achieve this

static (inside,outside) tcp publicip 22 LANIP 22

now we need to access from outside world to LANIP thorugh port 22 and also

we need port 22 should be access to outside word from LANIP server

when we trying from LAN server to outside world we are getting the log like

this which is unsuccesfull:

%PIX-7-609001: Built local-host outside:PUBLICIP

%PIX-6-302013: Built outbound TCP connection 1273 for outside:PUBLICIP/22 (

PUBLICIP/22) to inside:LANIP/55185 (LANIP/55185)

%PIX-6-302014: Teardown TCP connection 1335 for outside:PUBLICIP/22 to

inside:LANIP/55208 duration 0:00:30 bytes 0 SYN Timeout

Jerry Ye Thu, 02/18/2010 - 09:39
User Badges:
  • Cisco Employee,

You can't do 2 things with one single statement. What you are looking for is really PBR and NAT.

Where you will NAT your incoming connection to for destination port 22.

PBR is for your out bound connection sourced from to x where its destination port is 22.




This Discussion