Solved: Re: ssh through Pix to 6500 - Page 2

Bruce Summers · ‎02-14-2010

I didnt really know how to describe the subject, so here goes.

Using a 6513 to originate SSH connection to a 6509 through a Pix 535. that is what I'm attempting to do.

On Pix, 3 interfaces, outside sec level 0 192.168.15.11 /27, inside sec level 100, 192.168.15.33 /24, and a 3rd interface to be used for "mgmt" sec level 10, 10.10.10.1 /24.

On 6509, 2 physical interfaces 192.168.15.35 /24 and 10.10.10.2 /24.

from the 6513, I can ping to the 6509, thorugh the pix to both destinations.

However, from the 6513 I can only ssh to the 192.168.15.36 address.

I have noted, the following when pinging, using the sho conn on the pix

ping to 192.168.15.35

ICMP outside 192.168.15.10:152 Inside 192.168.15.35:0, idle 0:00:00, bytes 67608
ICMP outside 192.168.15.10:152 Inside 192.168.15.35:0, idle 0:00:00, bytes 67608

ping to 10.10.10.2

ICMP outside 192.168.15.10:153 Inside 10.10.10.2:0, idle 0:00:00, bytes 42336
ICMP outside 192.168.15.10:153 Jump_Mgmt 10.10.10.2:0, idle 0:00:00, bytes 42408

It appears the return traffic is coming back from the 6509 via the default route 0.0.0.0 0.0.0.0 192.168.15.33 RATHER than the connected route between the 2 10.10.10.0 /24 interfaces. I see a TCP deny on the inside interface coming from the 6509 (10.10.10.2) which seems would make sense since the traffic didnt originate through the inside interface enroute to the 6509...

i'm not sure how to over come this...

any help would be appreciated...

bruce

Jon Marshall · ‎02-14-2010

bruce.summers wrote:

understood...but,I thought we had summized that global nat would apply to all traffic...dont want to do that...

Not if you use policy NAT ie. you use an access-list to define when to NAT eg.

access-list PNAT permit host 192.168.x.x host 10.10.10.2

nat (outside) 1 access-list PNAT outside

global (mgmt) 1 interface

note the "outside" after the PNAT. That is the only thing i'm not sure about ie. whether you can have policy NAT and use the outside keyword as well.

So i guess you should be careful with either way

Jon

Bruce Summers · ‎02-14-2010

roger..

thanks for your help on this...i'll give it a try and see if it works...

Bruce Summers · ‎02-14-2010

let me make sure i got this correct.

create an access list PNAT (access-list PNAT permit host 192.168.15.10 host 10.10.10.2

nat (outside) 1 access-list PNAT outside

global (mgmt) 1 interface

what is actually natting the 192 to the 10.10??? is it that PNAT access list?

Jon Marshall · ‎02-14-2010

bruce.summers wrote:
let me make sure i got this correct.
create an access list PNAT (access-list PNAT permit host 192.168.15.10 host 10.10.10.2
nat (outside) 1 access-list PNAT outside
global (mgmt) 1 interface
what is actually natting the 192 to the 10.10???  is it that PNAT access list?

Bruce

The access-list simply defines which traffic to NAT. So in this case when host 192.168.15.10 sends a packet to 10.10.10.2 192.168.5.10 will get natted to IP address assigned to the mgmt interface. To the 6509 the packet has a src address of 10.10.10.1 so it know to send it back to the pix management interface.

Jon

Bruce Summers · ‎02-14-2010

ah...thats right...my bad...thanks

Bruce Summers · ‎02-14-2010

no IP required in the access-list

ie. access-list PNATline 1 ext permit IP h 192.168.15.10 h 10.10.10.2

???

Jon Marshall · ‎02-14-2010

bruce.summers wrote:

no IP required in the access-list

ie. access-list PNATline 1 ext permit IP h 192.168.15.10 h 10.10.10.2

???

that would be my bad

Yes you need an IP afer the permit

Jon

Bruce Summers · ‎02-14-2010

lol...there is actually a "host" statement after permit also, thats why it was throwing me the curve...

thanks...

Bruce Summers · ‎02-14-2010

hmmm...since i already have an access-list that allows IP any, it would seem i could use that (as it is applied to the outside interface)...

so, rather than access-list PNAT Outside blah blah, i would just replace the "PNAT" acl with the existing "outside" acl...

Jon Marshall · ‎02-14-2010

bruce.summers wrote:

hmmm...since i already have an access-list that allows IP any, it would seem i could use that (as it is applied to the outside interface)...

so, rather than access-list PNAT Outside blah blah, i would just replace the "PNAT" acl with the existing "outside" acl...

Bruce

No you don't want to do that unless the only line in the acl is between the 192.168.15.10 host and the 10.10.10.2

Jon

Bruce Summers · ‎02-14-2010

hmmm...that wont work...i'll have to add an ACE to the existing outside acl...

Jon Marshall · ‎02-14-2010

Trust me , just use a dedicated acl for the policy NAT.

Bruce Summers · ‎02-14-2010

i trust ya man...

the problem is this...

I have an access-group which is applied to the Outside interfaces using the "outside" acl...

I created the PNAT acl, associated it with the outside interface and it removed my existing access-group for the outside interface...

so, short of adding the following, i'm not sure how to apply what you are suggesting...

access-list Outside line 1 extended permit ip h 192.168.15.10 host 10.10.10.2

access-list Outside line 2 extended permit ip any any

access-list Outside line 3 extended permit icmp any any

access-group Outside in interface outside

Jon Marshall · ‎02-14-2010

bruce.summers wrote:

i trust ya man...

the problem is this...

I have an access-group which is applied to the Outside interfaces using the "outside" acl...

I created the PNAT acl, associated it with the outside interface and it removed my existing access-group for the outside interface...

so, short of adding the following, i'm not sure how to apply what you are suggesting...

access-list Outside line 1 extended permit ip h 192.168.15.10 host 10.10.10.2

access-list Outside line 2 extended permit ip any any

access-list Outside line 3 extended permit icmp any any

access-group Outside in interface outside

Bruce

The PNAT acl does not need to be applied to an interface, it is simply for NAT. Leave your existing acl on the outside interface.

The only reference you need to the PNAT acl is in the nat statement itself. The PNAT acl is not concerned with permitting/restricting traffic.

Jon

Bruce Summers · ‎02-14-2010

You're a genius!!!!

it worked....that is pretty awesome...

I could replace, in the acl, the "host 10.10.10.2" with the entire /24 subnet, i would think...

thanks