Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Linksys firewall behind PIX

I have a client that has a linksys firewall setup at his workstation (Don't ask why, you don't want to know). He needs to pass SSH traffic to his workstation. I have a acl configured and a static configured for his IP to pass the port 22 traffic to his "external" linksys address. He has the linksys configured to pass port 22 traffic to his internal workstation.

When he is behind the pix with a natted IP this does not work, I just get a connection refused. When i place him outside the firewall with a routable IP everything works fine. Is this a problem with TCP sequencing? Can this be disabled?



Re: Linksys firewall behind PIX

1. Your client is a donkey, take off your shoe and beat him with it.

2. Given his donkey status, I must question whether he is actually running a ssh daemon. Only a ssh daemon (server) needs to be accessible via tcp 22. If he is runninng a ssh daemon, is he running a unix like os? If so, run ipchains, PF, or IPF on it.


Re: Linksys firewall behind PIX

Sometimes dual NAT can be an issue as the Pix will randomize TCP sequence numbers for added security for hosts with weak IP stacks. (read Windows).

This can be disabled per static statement with the [norandomseq] keyword at the end.

And don't forget to follow the other poster's reply as he's dead on. For both step 1 and step 2. ;)

CreatePlease to create content