12-05-2006 12:35 PM - edited 03-11-2019 02:04 AM
I'm trying to forward all ssh requests for my outside IP to a PC, named "alphapc", behind my PIX 506E firewall. Under my current configuration, all ssh requests to my outside IP timeout. My configuration is below.
Thanks,
Anton
: Saved
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password [***PASSWORD***] encrypted
passwd [***PASSWORD***] encrypted
hostname [***HOST NAME***]
domain-name laancor.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.1.111 alphapc
name 192.168.1.109 betapc
access-list ping_acl permit ip any any
access-list OUTSIDEACL permit tcp any host 0.0.0.0 eq www
pager lines 20
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside [***OUTSIDE IP ADDRESS***] 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location alphapc 255.255.255.255 inside
pdm location betapc 255.255.255.255 inside
pdm history enable
arp timeout 72
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) tcp interface 22 alphapc 22 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 [***GATEWAY***] 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
dhcpd address 192.168.1.100-192.168.1.149 inside
dhcpd dns [***PRIMARY DNS***] [***SECONDARY DNS***]
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain [***DOMAIN NAME***]
dhcpd enable inside
terminal width 80
12-05-2006 01:24 PM
It is not allowed through your OUTSIDEACL which is also not applied to an interface.
access-group OUTSIDEACL in interface outside
12-05-2006 02:01 PM
Hi,
You need to define an access-list to allow SSH to the translated IP Address and apply the access-group inbound on the outside interface.
For example:
access-list OUTSIDEACL permit tcp any host x.x.x.x eq 22
access-group OUTSIDEACL in interface outside
I hope it helps.
Regards,
Arul
** Please rate all helpful posts **
12-05-2006 02:43 PM
Hi .. I don't think you can use the PIX's interface to redirect ssh to another hosts. You could however try by disabling ssh to the outside interface no ssh 0.0.0.0 0.0.0.0 outside and the modifying the static so tat is has the piblic ip address of your PIX instead of the 'interface' keyword ..
static (inside,outside) tcp
allow access for ssh to the Public IP of your PIX on the access-list applied to the outside interface ..i.e
access-list Outside_IN extended permit tcp any host
access-group Outside_IN in interface outside
NOTE: after modifying teh static you will need to type clear xlate for the change to take place right away however any established connections at that moment will be be forced to reconnect.
I hope it helps .. please rate if it does !!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: