Solved

PIX 515 port forwarding (ssh) with existing NAT

Posted on 2006-11-27
4
1,094 Views
Last Modified: 2010-05-18
I need to allow external access (from a static network address ie. 100.100.0.0/16 and via a random static port, ie. 6000) to port 22 (ssh) on an internal server using PAT.

I currently have a PIX 515 with a dynamic NAT rule enabled, translating all outbound office traffic using the outside interface IP. I also have a dynamic IPSec policy with accompanying access-lists (including split-tunneling) operating to allow VPN connections.

When I typed in this command to get started...
static (inside, outside) tcp interface 6000 10.10.10.10 22 netmask 255.255.255.255
...all outbound web traffic was cut off, as was the ability to connect using the VPN client.

Must I create the access list first and have it ordered AFTER the existing ACLs? Should I append the access rule to an existing list before I create the static PAT rule? How would this be done?

Thanks!
0
Comment
Question by:chiefttimby
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 4

Accepted Solution

by:
pakitloss earned 63 total points
ID: 18022434
I always create my Access-lists, apply them to the interface then do the static. I don't remember if doing the static first is supposed to work the way you described or not. I also include the access-list entry in the same list as the direction I want to go as you stated.  

ex.
access-list inbound permit tcp 100.100.0.0 255.255.0.0 interface outside eq 22 log
access-group inbound in interface outside

static (inside, outside) tcp interface 6000 10.10.10.10 22 netmask 255.255.255.255
0
 
LVL 28

Assisted Solution

by:batry_boy
batry_boy earned 62 total points
ID: 18676282
First off, I would use a random port higher up in the allowed range to prevent from being trampled on by your PAT setup...maybe something like:

static (inside,outside) tcp interface 58956 10.10.10.10 22 netmask 255.255.255.255

I believe pakitloss specified the wrong port to be opened on the inside interface when implementing port redirection.  It should read something like this, using my above static as a reference:

access-list inbound permit tcp 100.100.0.0 255.255.0.0 interface outside eq 58956 log
access-group inbound in interface outside

The order of the ACL's doesn't matter and it doesn't really matter if you input the ACL statement first or the static first.  However, I would do a "clear xlat" after you put in the "static" statement.

Hope this helps...
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question