07-13-2007 09:28 AM - edited 03-11-2019 03:44 AM
Hello,
I'm trying to redirect outside port connections destined for a specific "sftp" server by accepting port 22 connections destined for the sftp server and redirecting to port 2222 on the sftp server through the PIX.
static (inside,outside) tcp interface ssh sftp.server.ip 2222 netmask 255.255.255.255 0 0
I've read a number of articles which seem to indicate that it's certainly possible to do this:
static (inside,outside) tcp interface 2222 sftp.server.ip 22 netmask 255.255.255.255 0 0
But we still want to be able to use the ssh port on the sftp server for admin access and port 2222 for the sftp server.
Is there a way to do this?
07-13-2007 09:43 AM
Not sure I completely understand you question but it sounds like you want your sftp service to listen on port 2222. This would leave port 22 available for ssh.
07-13-2007 09:50 AM
Yes, that's correct.
We also want folks using the sftp service to not have to specify a port other then "22" which is the default. So we really would like the PIX to do the port redirection for us if possible.
07-13-2007 09:56 AM
What you want isn't necessarily going to work. You cannot have duplicate translations in the pix. If you create the following static to forward port 22 to 2222 for outside sftp clients...
static (inside,outside) tcp interface ssh sftp.server.ip 2222 netmask 255.255.255.255 0 0
then your outside ssh clients will not be able to hit the server on 22 as they will be redirected to 2222.
07-13-2007 10:09 AM
Thx for the quick response.
We do not allow any other SSH inbound to hosts in our DMZ. The servers in the DMZ can only be administered via SSH from our internal network via a separate set of firewalls.
Therefore this sftp server happens to be the only host that requires an SSH redirect on the PIX.
07-13-2007 10:13 AM
OK, good. Then all you need to do is set your sftp service to listed on port 2222. Add the following static...
static (dmz,outside) tcp interface ssh sftp.server.ip 2222 netmask 255.255.255.255
This will allow sftp clients on the outside to hit the sftp service on port 22 from the outside.
SSH clients on the inside will be able to access the ssh service on port 22.
Only catch is that internal sftp clients will need to use port 2222 for the sftp service, if needed.
Hope that works for you. Please rate helpful posts.
07-13-2007 11:00 AM
We did attempt to implement the very static you suggested:
static (dmz,outside) tcp interface ssh sftp.server.ip 2222 netmask 255.255.255.255 0 0
However, we were never able to get through the PIX, nor did the PIX even log connection attempts. We even tried adding an access list access-list red_in line 36 permit tcp any host sftp.server.ip eq 22
Which begs the question of whether the PIX treats ssh differently on the "outside" interface? Is there some other parameter / command needed to accept ssh connections for redirection from the outside interface of the PIX?
07-13-2007 11:09 AM
Looks like you had your acl wrong. It needs to reference the destination by the outside address, the interface address in this case, not the servers private dmz address.
access-list red_in permit tcp any interface outside eq 22
or
access-list red_in permit tcp any host
and
access-group red_in in interface outside
That should do the trick.
07-13-2007 11:54 AM
We will update the access-list and try to get this configuration implemented again during our next change window.
Hope this works.
Thanks for your help!
07-13-2007 11:57 AM
It will. Please come back and let us know.
08-03-2007 07:54 AM
Hello,
We did attempt to implement this change last night with the new access list you'd recommended.
access-list red_in permit tcp any interface outside eq 22
static (inside,outside) tcp interface ssh x.x.x.x 2222 netmask 255.255.255.255 0 0
When we attempted to test access to the sftp server through the PIX we got the following error.
ftp -o Port=22 ftp@x.x.x.x
Connecting to x.x.x.x...
ssh: connect to host x.x.x.x port 22: Connection timed out
Couldn't read packet: Connection reset by peer
Also, the PIX didn't seem to be logging the connection attempts or forwarding the requests to port 2222 on the sftp server.
Perhaps we are still missing some key access-list parameter or is there something special about the way the PIX handles port 22 traffic forwarding?
08-03-2007 08:31 AM
Have you tried
no fixup protocol ftp 21
08-03-2007 09:22 AM
Are the protocol fixups enabled by default?
I assume you meant...
no fixup protocol ssh 22
for the ssh port flow.
08-03-2007 10:05 AM
I also noticed a mistake in my previous post. It should have read:
"sftp" as the command and not "ftp"
This may have been confusing.
08-03-2007 10:15 AM
Sorry I'm at a loss. Is the sftp server in the inside or the dmz? The pix isn't logging anything?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: