Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

PIX 515 port forwarding (ssh) with existing NAT

Posted on 2006-11-27
4
Medium Priority
?
1,103 Views
Last Modified: 2010-05-18
I need to allow external access (from a static network address ie. 100.100.0.0/16 and via a random static port, ie. 6000) to port 22 (ssh) on an internal server using PAT.

I currently have a PIX 515 with a dynamic NAT rule enabled, translating all outbound office traffic using the outside interface IP. I also have a dynamic IPSec policy with accompanying access-lists (including split-tunneling) operating to allow VPN connections.

When I typed in this command to get started...
static (inside, outside) tcp interface 6000 10.10.10.10 22 netmask 255.255.255.255
...all outbound web traffic was cut off, as was the ability to connect using the VPN client.

Must I create the access list first and have it ordered AFTER the existing ACLs? Should I append the access rule to an existing list before I create the static PAT rule? How would this be done?

Thanks!
0
Comment
Question by:chiefttimby
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 4

Accepted Solution

by:
pakitloss earned 252 total points
ID: 18022434
I always create my Access-lists, apply them to the interface then do the static. I don't remember if doing the static first is supposed to work the way you described or not. I also include the access-list entry in the same list as the direction I want to go as you stated.  

ex.
access-list inbound permit tcp 100.100.0.0 255.255.0.0 interface outside eq 22 log
access-group inbound in interface outside

static (inside, outside) tcp interface 6000 10.10.10.10 22 netmask 255.255.255.255
0
 
LVL 28

Assisted Solution

by:batry_boy
batry_boy earned 248 total points
ID: 18676282
First off, I would use a random port higher up in the allowed range to prevent from being trampled on by your PAT setup...maybe something like:

static (inside,outside) tcp interface 58956 10.10.10.10 22 netmask 255.255.255.255

I believe pakitloss specified the wrong port to be opened on the inside interface when implementing port redirection.  It should read something like this, using my above static as a reference:

access-list inbound permit tcp 100.100.0.0 255.255.0.0 interface outside eq 58956 log
access-group inbound in interface outside

The order of the ACL's doesn't matter and it doesn't really matter if you input the ACL statement first or the static first.  However, I would do a "clear xlat" after you put in the "static" statement.

Hope this helps...
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

662 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question