Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Opening port 22 in PIX 501

I would like to access my PC from xyz location. How do i open port 22 to access my pc. I am using pix 501.

Can anyone provide the commands to open the port so that i can access my pc.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Opening port 22 in PIX 501

totally agree as only 3 commands are required.

access-list inbound permit tcp any eq 22

static (inside,outside) tcp interface 22 22 netmask 255.255.255.255 0 0

clear xlate

however, all these commands are missing with the config you posted.

15 REPLIES
Gold

Re: Opening port 22 in PIX 501

hostname pix

domain-name yourcompany.com.au

ca generate rsa key 1024

ca save all

in order to allow/restrict ssh access to the pix:

ssh outside

New Member

Re: Opening port 22 in PIX 501

Is "trusted host ip" is the ip address from where i am accessing or the ip of PC which i am want to access?

Thanks

Gold

Re: Opening port 22 in PIX 501

yes. e.g. your home internet public ip.

New Member

Re: Opening port 22 in PIX 501

I would like to access this machine address: 192.168.0.110

You you mean this is how it should be?

=======================================================

hostname cisco

domain-name wasay.com

ca generate rsa key 1024

ca save all

ssh 192.168.0.110 255.255.255.0 outside

=====================================================

Do i need to put any IP details of PC in pix from the place were i am accessing the to my home PC?

or

Is just the above commands ok?

Thanks

New Member

Re: Opening port 22 in PIX 501

Problem is not yet solved can anyone shows the exact command to open the port 22.

I have tried the above command it didnt worked.

Thanks

Re: Opening port 22 in PIX 501

I think the previous command is to allow PIX management via ssh from Outside/Internet.

The command "ssh outside" is to allow that IP to access@manage PIX from Outside.

If you need to access your PC which sits on the inside segment, you need to map it to a Public IP and use ACL that open port 22 (ssh) to enable you access it from Outside/Internet. This ACL need to be configured on the outside interface.

example:

1. static map of your internal PC to a Public IP (assign by SP)

static (inside,outside) 199.100.100.10 192.168.0.110 netmask 255.255.255.255

2.Open ACL on the outside interface

access-list 100 permit tcp any host 199.100.100.10 eq 22

3. Bind it to outside interface

access-group 100 in interface outside

*can also specify specific IP/subnet using by replacing 'any' with host ID or subnet ID and netmask, as follow:

- For single host:

access-list 100 permit tcp host 202.100.100.100 host 199.100.100.10 eq 22

- For subnet:

access-list 100 permit tcp 202.100.100.0 255.255.255.0 host 199.100.100.10 eq 22

Make sure our internal PC is allowed to access Outside/Internet as well. If you have any ACL on the inside interface, make sure it allow your internal PC to pass thru.

Cheers!

AK

Bronze

Re: Opening port 22 in PIX 501

Hi,

If you are looking for ssh to your PC behind PIX from xyz, try this

static (inside,outside) tcp p.p.p.p 22 192.168.0.110 22 netmask 255.255.255.255

access-list outside_in permit tcp host h.h.h.h host p.p.p.p eq 22

Where:

p.p.p.p is you PIX outside interface IP or other public IP routed to your PIX.

outside_in is the access-list applied to your outside interface

h.h.h.h is xyz public IP address

HTH

Regards,

Shijo George.

Gold

Re: Opening port 22 in PIX 501

please excuse me as i wasn't thinking. the commands i post are for managing the pix.

as per the last couple posts suggested, those are the commands required. just another comments, do "clear xlate" after applying static statements as it forces the pix to refresh the ip address translation.

New Member

Re: Opening port 22 in PIX 501

I have tried the above commands it didnt work. Is anyone who is expert in PIX firewall can solve my issue? Its urgent i want to access my PC.

Gold

Re: Opening port 22 in PIX 501

please post the config with public ip masked.

New Member

Re: Opening port 22 in PIX 501

Thanks for the reply here is the config:

Result of firewall command: "sh run"

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password i8sWQlcI4sodDEYK encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname Melbourne

domain-name lexiainfotech.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group service UDPList udp

port-object eq 5060

port-object eq 8000

port-object range 16384 20384

object-group service BroadVoice1 tcp-udp

port-object range 5060 5063

port-object range 10000 20000

port-object range 16384 20384

port-object eq 69

access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inbound permit udp any interface outside object-group BroadVoice1

access-list Inbound permit udp any interface outside object-group BroadVoice1

access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 103 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.0.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.57 255.255.255.255 inside

pdm location 192.168.1.0 255.255.255.0 outside

pdm location 192.168.2.0 255.255.255.0 outside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 192.168.0.0 255.255.255.0 0 0

static (inside,outside) udp interface tftp 192.168.0.57 tftp netmask 255.255.255.255 0 0

access-group inbound in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set SecuritySet esp-des esp-sha-hmac

crypto map rtpmap 1 ipsec-isakmp

crypto map rtpmap 1 match address 102

crypto map rtpmap 1 set peer 61.17.xxx.xxx

crypto map rtpmap 1 set transform-set SecuritySet

crypto map rtpmap 1 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map rtpmap 2 ipsec-isakmp

crypto map rtpmap 2 match address 103

crypto map rtpmap 2 set peer 58.105.xxx.xxx

crypto map rtpmap 2 set transform-set SecuritySet

crypto map rtpmap 2 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map rtpmap interface outside

isakmp enable outside

isakmp key **address 61.17.xxx.xxx netmask 255.255.255.255

isakmp key **address 58.105.xxx.xxx netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group Internet request dialout pppoe

vpdn enable inside

dhcpd address 192.168.0.33-192.168.0.62 inside

dhcpd lease 3600

dhcpd ping_timeout 750

Gold

Re: Opening port 22 in PIX 501

do "sh access-list inbound" to verify whether the acl being hit or not.

verify the host 192.168.0.57 has the pix inside interface as the default gateway or not.

also verify the tftp services is running correctly. e.g. try establish tftp from the subnet 192.168.0.0/24.

do "sh xlate | in 192.168.0.57" to verify the ip translation.

lastly, just wondering whether you were testing it from the tftp from outside the pix, such as the internet.

New Member

Re: Opening port 22 in PIX 501

Thanks for the reply

I am pretty sure the above instruction is nothing to do to open the port 22.

I came back home and would like to end up this topic thanks to Jakko,and other netpro members for their support.

Hence my problem is not solved and i am 100% sure there is only 3 to 4 commands to open the port 22.

Thanks Have a good weekend

Gold

Re: Opening port 22 in PIX 501

totally agree as only 3 commands are required.

access-list inbound permit tcp any eq 22

static (inside,outside) tcp interface 22 22 netmask 255.255.255.255 0 0

clear xlate

however, all these commands are missing with the config you posted.

New Member

Re: Opening port 22 in PIX 501

Hey Jackkooooooooo you are expert in pix firewall. Yes you are right. Why you havent provided the above commands.

Thanks

245
Views
11
Helpful
15
Replies
CreatePlease login to create content