Yes, that's correct.

We also want folks using the sftp service to not have to specify a port other then "22" which is the default. So we really would like the PIX to do the port redirection for us if possible.

What you want isn't necessarily going to work. You cannot have duplicate translations in the pix. If you create the following static to forward port 22 to 2222 for outside sftp clients...

static (inside,outside) tcp interface ssh sftp.server.ip 2222 netmask 255.255.255.255 0 0

then your outside ssh clients will not be able to hit the server on 22 as they will be redirected to 2222.

Thx for the quick response.

We do not allow any other SSH inbound to hosts in our DMZ. The servers in the DMZ can only be administered via SSH from our internal network via a separate set of firewalls.

Therefore this sftp server happens to be the only host that requires an SSH redirect on the PIX.

OK, good. Then all you need to do is set your sftp service to listed on port 2222. Add the following static...

static (dmz,outside) tcp interface ssh sftp.server.ip 2222 netmask 255.255.255.255

This will allow sftp clients on the outside to hit the sftp service on port 22 from the outside.

SSH clients on the inside will be able to access the ssh service on port 22.

Only catch is that internal sftp clients will need to use port 2222 for the sftp service, if needed.

Hope that works for you. Please rate helpful posts.

We did attempt to implement the very static you suggested:

static (dmz,outside) tcp interface ssh sftp.server.ip 2222 netmask 255.255.255.255 0 0

However, we were never able to get through the PIX, nor did the PIX even log connection attempts. We even tried adding an access list access-list red_in line 36 permit tcp any host sftp.server.ip eq 22

Which begs the question of whether the PIX treats ssh differently on the "outside" interface? Is there some other parameter / command needed to accept ssh connections for redirection from the outside interface of the PIX?

Looks like you had your acl wrong. It needs to reference the destination by the outside address, the interface address in this case, not the servers private dmz address.

access-list red_in permit tcp any interface outside eq 22

or

access-list red_in permit tcp any host eq 22

and

access-group red_in in interface outside

That should do the trick.

We will update the access-list and try to get this configuration implemented again during our next change window.

Hope this works.

Thanks for your help!

It will. Please come back and let us know.

Hello,

We did attempt to implement this change last night with the new access list you'd recommended.

access-list red_in permit tcp any interface outside eq 22

static (inside,outside) tcp interface ssh x.x.x.x 2222 netmask 255.255.255.255 0 0

When we attempted to test access to the sftp server through the PIX we got the following error.

ftp -o Port=22 ftp@x.x.x.x

Connecting to x.x.x.x...

ssh: connect to host x.x.x.x port 22: Connection timed out

Couldn't read packet: Connection reset by peer

Also, the PIX didn't seem to be logging the connection attempts or forwarding the requests to port 2222 on the sftp server.

Perhaps we are still missing some key access-list parameter or is there something special about the way the PIX handles port 22 traffic forwarding?

Have you tried

no fixup protocol ftp 21

Are the protocol fixups enabled by default?

I assume you meant...

no fixup protocol ssh 22

for the ssh port flow.

I also noticed a mistake in my previous post. It should have read:

"sftp" as the command and not "ftp"

This may have been confusing.

Sorry I'm at a loss. Is the sftp server in the inside or the dmz? The pix isn't logging anything?