• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1105
  • Last Modified:

PIX 515 port forwarding (ssh) with existing NAT

I need to allow external access (from a static network address ie. 100.100.0.0/16 and via a random static port, ie. 6000) to port 22 (ssh) on an internal server using PAT.

I currently have a PIX 515 with a dynamic NAT rule enabled, translating all outbound office traffic using the outside interface IP. I also have a dynamic IPSec policy with accompanying access-lists (including split-tunneling) operating to allow VPN connections.

When I typed in this command to get started...
static (inside, outside) tcp interface 6000 10.10.10.10 22 netmask 255.255.255.255
...all outbound web traffic was cut off, as was the ability to connect using the VPN client.

Must I create the access list first and have it ordered AFTER the existing ACLs? Should I append the access rule to an existing list before I create the static PAT rule? How would this be done?

Thanks!
0
chiefttimby
Asked:
chiefttimby
2 Solutions
 
pakitlossCommented:
I always create my Access-lists, apply them to the interface then do the static. I don't remember if doing the static first is supposed to work the way you described or not. I also include the access-list entry in the same list as the direction I want to go as you stated.  

ex.
access-list inbound permit tcp 100.100.0.0 255.255.0.0 interface outside eq 22 log
access-group inbound in interface outside

static (inside, outside) tcp interface 6000 10.10.10.10 22 netmask 255.255.255.255
0
 
batry_boyCommented:
First off, I would use a random port higher up in the allowed range to prevent from being trampled on by your PAT setup...maybe something like:

static (inside,outside) tcp interface 58956 10.10.10.10 22 netmask 255.255.255.255

I believe pakitloss specified the wrong port to be opened on the inside interface when implementing port redirection.  It should read something like this, using my above static as a reference:

access-list inbound permit tcp 100.100.0.0 255.255.0.0 interface outside eq 58956 log
access-group inbound in interface outside

The order of the ACL's doesn't matter and it doesn't really matter if you input the ACL statement first or the static first.  However, I would do a "clear xlat" after you put in the "static" statement.

Hope this helps...
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now