Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
602
Views
0
Helpful
5
Replies

PIX 515E issue

vinoth.kumar
Level 1
Level 1

‎02-18-2010 06:44 AM - edited ‎03-11-2019 10:11 AM

Hi

Currently in our network we are using PIX 515E in that

we have done all NAT access from outside to inside for all web access for example:

static (inside,outside) tcp 1.1.1.1 23 X.X.X.X 23 -- is this PAT is applied to both inbound and outbound

static (inside,outside) tcp 2.2.2.2 22 Y.Y.Y.Y 22 -- is this PAT is applied to both inbound and outbound

access-list NAT permit ip any host 1.1.1.1 eq 23 - inbound acl to access telnet service to inside host

access-list NAT permit ip any eq 23 host 2.2.2.2 eq 23 - outboung acl to access SSH service to outside public IP

access-group NAT in interface outside

now our issue is we are ablet to access the telnet service from outside world to inside host but we are unable to access the SSH to outside world from the inside host

can anyone help me resolve this , we doubt it may be IOS issue

our current IOS is PIX723.bin and can i know which IOS is best for PIX

thanks

Labels:
0 Helpful
5 Replies 5

Jerry Ye
Cisco Employee
Cisco Employee

‎02-18-2010 08:09 AM

Check your ACL

access-list NAT permit ip any eq 23 host 2.2.2.2 eq 23

SSH is port 22, and the source port (client) will not be 22, it is a random high port.

HTH,

jerry

0 Helpful

vinoth.kumar
Level 1
Level 1
In response to Jerry Ye

‎02-18-2010 08:46 AM

thanks for the reply

sorry its port 22 only i mistakently written

access-list NAT permit ip any eq 22 host 2.2.2.2 eq 22

still its not working

0 Helpful

Jerry Ye
Cisco Employee
Cisco Employee
In response to vinoth.kumar

‎02-18-2010 08:50 AM

I am assuming the SSH server is inside the FW. If that is true, you rule shoud look like

access-list NAT permit tcp any host 2.2.2.2 eq 22

HTH,

jerry

0 Helpful

vinoth.kumar
Level 1
Level 1
In response to Jerry Ye

‎02-18-2010 09:13 AM

basically we need to put single PAT entry and allow access to both inbound

and outbound direction

can u help me how to achieve this

static (inside,outside) tcp publicip 22 LANIP 22

now we need to access from outside world to LANIP thorugh port 22 and also

we need port 22 should be access to outside word from LANIP server

when we trying from LAN server to outside world we are getting the log like

this which is unsuccesfull:

%PIX-7-609001: Built local-host outside:PUBLICIP

%PIX-6-302013: Built outbound TCP connection 1273 for outside:PUBLICIP/22 (

PUBLICIP/22) to inside:LANIP/55185 (LANIP/55185)

%PIX-6-302014: Teardown TCP connection 1335 for outside:PUBLICIP/22 to

inside:LANIP/55208 duration 0:00:30 bytes 0 SYN Timeout

0 Helpful

Jerry Ye
Cisco Employee
Cisco Employee
In response to vinoth.kumar

‎02-18-2010 09:39 AM

You can't do 2 things with one single statement. What you are looking for is really PBR and NAT.

Where you will NAT your incoming connection to 2.2.2.2 for destination port 22.

PBR is for your out bound connection sourced from 2.2.2.2 to x where its destination port is 22.

Regards,

jerry

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card