Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

opening ports

I need to let a vendor have access to a network device that they installed. I added the following two lines into my PIX 515.

access-list acl_out permit tcp host vendor.ip.address host my.outside.ip.address eq ssh

static (inside,outside) tcp my.outside.ip.address ssh ssh netmask 0 0

They cannot connect so I'm not sure if I set it up correctly. I also tried doing a port scan and the port does not list as being open. Did I do something wrong here?



Re: opening ports

Did you apply the acl?

access-group acl_out in interface outside

New Member

Re: opening ports

yes the access-group was applied.


Re: opening ports

Is "my.outside.ip.address" the same as your outside interface of pix?

If so you should use keyword "interface" in static and acl statements.

access-list acl_out permit tcp host vendor.ip.address interface outside eq ssh

static (inside,outside) tcp interface ssh ssh netmask 0 0

Hall of Fame Super Blue

Re: opening ports


When you say you did a port scan, was this from inside or outside the firewall ?

There does seem to be anything wrong with the config you posted so perhaps if you could post the full config (minus any sensitive information).

Other things to check

1) is the network directly attached to the pix. If not do you have a route to that network.

2) The vendor IP address will need to be routed back out from your network. Is the default gateway on pointing to the pix, if not do you have other routing in your network that would send the reply traffic back to the pix.

3) Can you ssh internally to this server



New Member

Re: opening ports

Good suggestions. I will try all of these.

The port scan was from outside the firewall.

I was thinking the config was correct as well. I already did this same thing for another vendor just using a different port and it works for them. I will try to ssh to the vendor device and go from there.

Thanks guys.