ca generate rsa key 1024
ca save all
in order to allow/restrict ssh access to the pix:
I would like to access this machine address: 192.168.0.110
You you mean this is how it should be?
ca generate rsa key 1024
ca save all
ssh 192.168.0.110 255.255.255.0 outside
Do i need to put any IP details of PC in pix from the place were i am accessing the to my home PC?
Is just the above commands ok?
Problem is not yet solved can anyone shows the exact command to open the port 22.
I have tried the above command it didnt worked.
I think the previous command is to allow PIX management via ssh from Outside/Internet.
The command "ssh
If you need to access your PC which sits on the inside segment, you need to map it to a Public IP and use ACL that open port 22 (ssh) to enable you access it from Outside/Internet. This ACL need to be configured on the outside interface.
1. static map of your internal PC to a Public IP (assign by SP)
static (inside,outside) 18.104.22.168 192.168.0.110 netmask 255.255.255.255
2.Open ACL on the outside interface
access-list 100 permit tcp any host 22.214.171.124 eq 22
3. Bind it to outside interface
access-group 100 in interface outside
*can also specify specific IP/subnet using by replacing 'any' with host ID or subnet ID and netmask, as follow:
- For single host:
access-list 100 permit tcp host 126.96.36.199 host 188.8.131.52 eq 22
- For subnet:
access-list 100 permit tcp 184.108.40.206 255.255.255.0 host 220.127.116.11 eq 22
Make sure our internal PC is allowed to access Outside/Internet as well. If you have any ACL on the inside interface, make sure it allow your internal PC to pass thru.
If you are looking for ssh to your PC behind PIX from xyz, try this
static (inside,outside) tcp p.p.p.p 22 192.168.0.110 22 netmask 255.255.255.255
access-list outside_in permit tcp host h.h.h.h host p.p.p.p eq 22
p.p.p.p is you PIX outside interface IP or other public IP routed to your PIX.
outside_in is the access-list applied to your outside interface
h.h.h.h is xyz public IP address
please excuse me as i wasn't thinking. the commands i post are for managing the pix.
as per the last couple posts suggested, those are the commands required. just another comments, do "clear xlate" after applying static statements as it forces the pix to refresh the ip address translation.
I have tried the above commands it didnt work. Is anyone who is expert in PIX firewall can solve my issue? Its urgent i want to access my PC.
Thanks for the reply here is the config:
Result of firewall command: "sh run"
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password i8sWQlcI4sodDEYK encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
object-group service UDPList udp
port-object eq 5060
port-object eq 8000
port-object range 16384 20384
object-group service BroadVoice1 tcp-udp
port-object range 5060 5063
port-object range 10000 20000
port-object range 16384 20384
port-object eq 69
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inbound permit udp any interface outside object-group BroadVoice1
access-list Inbound permit udp any interface outside object-group BroadVoice1
access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 103 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.57 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.2.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) udp interface tftp 192.168.0.57 tftp netmask 255.255.255.255 0 0
access-group inbound in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
sysopt connection permit-ipsec
crypto ipsec transform-set SecuritySet esp-des esp-sha-hmac
crypto map rtpmap 1 ipsec-isakmp
crypto map rtpmap 1 match address 102
crypto map rtpmap 1 set peer 61.17.xxx.xxx
crypto map rtpmap 1 set transform-set SecuritySet
crypto map rtpmap 1 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map rtpmap 2 ipsec-isakmp
crypto map rtpmap 2 match address 103
crypto map rtpmap 2 set peer 58.105.xxx.xxx
crypto map rtpmap 2 set transform-set SecuritySet
crypto map rtpmap 2 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map rtpmap interface outside
isakmp enable outside
isakmp key **address 61.17.xxx.xxx netmask 255.255.255.255
isakmp key **address 58.105.xxx.xxx netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group Internet request dialout pppoe
vpdn enable inside
dhcpd address 192.168.0.33-192.168.0.62 inside
dhcpd lease 3600
dhcpd ping_timeout 750
do "sh access-list inbound" to verify whether the acl being hit or not.
verify the host 192.168.0.57 has the pix inside interface as the default gateway or not.
also verify the tftp services is running correctly. e.g. try establish tftp from the subnet 192.168.0.0/24.
do "sh xlate | in 192.168.0.57" to verify the ip translation.
lastly, just wondering whether you were testing it from the tftp from outside the pix, such as the internet.
Thanks for the reply
I am pretty sure the above instruction is nothing to do to open the port 22.
I came back home and would like to end up this topic thanks to Jakko,and other netpro members for their support.
Hence my problem is not solved and i am 100% sure there is only 3 to 4 commands to open the port 22.
Thanks Have a good weekend