Re: Forward ssh requests to internal PC

laancorporation1 · ‎12-05-2006

I'm trying to forward all ssh requests for my outside IP to a PC, named "alphapc", behind my PIX 506E firewall. Under my current configuration, all ssh requests to my outside IP timeout. My configuration is below.

Thanks,

Anton

: Saved

:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password [***PASSWORD***] encrypted

passwd [***PASSWORD***] encrypted

hostname [***HOST NAME***]

domain-name laancor.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 192.168.1.111 alphapc

name 192.168.1.109 betapc

access-list ping_acl permit ip any any

access-list OUTSIDEACL permit tcp any host 0.0.0.0 eq www

pager lines 20

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside [***OUTSIDE IP ADDRESS***] 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location alphapc 255.255.255.255 inside

pdm location betapc 255.255.255.255 inside

pdm history enable

arp timeout 72

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

static (inside,outside) tcp interface 22 alphapc 22 netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 [***GATEWAY***] 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 60

dhcpd address 192.168.1.100-192.168.1.149 inside

dhcpd dns [***PRIMARY DNS***] [***SECONDARY DNS***]

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain [***DOMAIN NAME***]

dhcpd enable inside

terminal width 80

t-heeter · ‎12-05-2006

It is not allowed through your OUTSIDEACL which is also not applied to an interface.

access-group OUTSIDEACL in interface outside

ajagadee · ‎12-05-2006

Hi,

You need to define an access-list to allow SSH to the translated IP Address and apply the access-group inbound on the outside interface.

For example:

access-list OUTSIDEACL permit tcp any host x.x.x.x eq 22

access-group OUTSIDEACL in interface outside

I hope it helps.

Regards,

Arul

** Please rate all helpful posts **

Fernando_Meza · ‎12-05-2006

Hi .. I don't think you can use the PIX's interface to redirect ssh to another hosts. You could however try by disabling ssh to the outside interface no ssh 0.0.0.0 0.0.0.0 outside and the modifying the static so tat is has the piblic ip address of your PIX instead of the 'interface' keyword ..

static (inside,outside) tcp 22 alphapc 22 netmask 255.255.255.255

allow access for ssh to the Public IP of your PIX on the access-list applied to the outside interface ..i.e

access-list Outside_IN extended permit tcp any host eq 22

access-group Outside_IN in interface outside

NOTE: after modifying teh static you will need to type clear xlate for the change to take place right away however any established connections at that moment will be be forced to reconnect.

I hope it helps .. please rate if it does !!!