Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Help with PIX 6.2 interface access & appropriate ACLs for SSH

I'm not very proficient with older PIX 6.2(1) code and I have the following scenario for a customer and was wondering if anyone could please help me.  Have interface to access PIX device on, which is reachable currently from the 10.1.1.x network, but need to get this configured for the 10.1.2.x network. Also trying to get SSH working correctly

current interface/nameif config:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ_2_XYZ security50

current interface/IP config:

ip address outside

ip address inside

ip address DMZ_2_XYZ

current ACL config:

access-list DMZ_2_XYZ_access_IN permit ip any any

access-list DMZ_2_XYZ_access_IN permit icmp any any

access-group DMZ_2_XYZ_access_IN in interface DMZ_2_XYZ

Static config:

static (inside,DMZ_2_XYZ) netmask 0 0

Current SSH config:

ssh inside

ssh inside

ssh DMZ_2_XYZ

Current route statements:

route inside 1

route DMZ_2_XYZ 1

Now, from what I know, first of all this needs a static mapping:

static (inside,???) tcp interface 22 22 netmask

then this needs an ACL:

access-list CORP_SSH_ACCESS_IN permit tcp netmask host eq 22

This is where I'm getting hung up

a) the PIX doesnt know about the 10.1.2.x network

     i. and does it need a route statement to get back to the 10.1.2.x -- my thoughts are yes, b/c it wont know how to return traffic

b) not sure which order to place the interfaces in the "static (X,Y)" area since no interface is bound or connected to 10.1.2.x

c) I'm used to running packet-tracer command on ASA's, so I'm trying to get a quick primer on the "capture" utility on PIX 6.2 

Any help is much appreciated!!!

Hall of Fame Super Silver

Help with PIX 6.2 interface access & appropriate ACLs for SSH

A lot depends on where the network is in relation to the Pix. If it is downstream from the inside interface (i.e. beyond the gateway) then a simple:

     route inside

will do the trick given that you already have the necessary ssh statement in place. If the network is somewhere else, then you may need to adjust access-list and nat statements.

New Member

Help with PIX 6.2 interface access & appropriate ACLs for SSH

will give that a shot. I'm just not used to the static mapping portion on 6.2 code, and was trying to tap into some hive-knowledge here...  off to RTFM