02-18-2010 06:44 AM - edited 03-11-2019 10:11 AM
Hi
Currently in our network we are using PIX 515E in that
we have done all NAT access from outside to inside for all web access for example:
static (inside,outside) tcp 1.1.1.1 23 X.X.X.X 23 -- is this PAT is applied to both inbound and outbound
static (inside,outside) tcp 2.2.2.2 22 Y.Y.Y.Y 22 -- is this PAT is applied to both inbound and outbound
access-list NAT permit ip any host 1.1.1.1 eq 23 - inbound acl to access telnet service to inside host
access-list NAT permit ip any eq 23 host 2.2.2.2 eq 23 - outboung acl to access SSH service to outside public IP
access-group NAT in interface outside
now our issue is we are ablet to access the telnet service from outside world to inside host but we are unable to access the SSH to outside world from the inside host
can anyone help me resolve this , we doubt it may be IOS issue
our current IOS is PIX723.bin and can i know which IOS is best for PIX
thanks
02-18-2010 08:09 AM
Check your ACL
access-list NAT permit ip any eq 23 host 2.2.2.2 eq 23
SSH is port 22, and the source port (client) will not be 22, it is a random high port.
HTH,
jerry
02-18-2010 08:46 AM
thanks for the reply
sorry its port 22 only i mistakently written
access-list NAT permit ip any eq 22 host 2.2.2.2 eq 22
still its not working
02-18-2010 08:50 AM
I am assuming the SSH server is inside the FW. If that is true, you rule shoud look like
access-list NAT permit tcp any host 2.2.2.2 eq 22
HTH,
jerry
02-18-2010 09:13 AM
basically we need to put single PAT entry and allow access to both inbound
and outbound direction
can u help me how to achieve this
static (inside,outside) tcp publicip 22 LANIP 22
now we need to access from outside world to LANIP thorugh port 22 and also
we need port 22 should be access to outside word from LANIP server
when we trying from LAN server to outside world we are getting the log like
this which is unsuccesfull:
%PIX-7-609001: Built local-host outside:PUBLICIP
%PIX-6-302013: Built outbound TCP connection 1273 for outside:PUBLICIP/22 (
PUBLICIP/22) to inside:LANIP/55185 (LANIP/55185)
%PIX-6-302014: Teardown TCP connection 1335 for outside:PUBLICIP/22 to
inside:LANIP/55208 duration 0:00:30 bytes 0 SYN Timeout
02-18-2010 09:39 AM
You can't do 2 things with one single statement. What you are looking for is really PBR and NAT.
Where you will NAT your incoming connection to 2.2.2.2 for destination port 22.
PBR is for your out bound connection sourced from 2.2.2.2 to x where its destination port is 22.
Regards,
jerry
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide