Solved

PIX 515 port forwarding (ssh) with existing NAT

Posted on 2006-11-27
4
1,097 Views
Last Modified: 2010-05-18
I need to allow external access (from a static network address ie. 100.100.0.0/16 and via a random static port, ie. 6000) to port 22 (ssh) on an internal server using PAT.

I currently have a PIX 515 with a dynamic NAT rule enabled, translating all outbound office traffic using the outside interface IP. I also have a dynamic IPSec policy with accompanying access-lists (including split-tunneling) operating to allow VPN connections.

When I typed in this command to get started...
static (inside, outside) tcp interface 6000 10.10.10.10 22 netmask 255.255.255.255
...all outbound web traffic was cut off, as was the ability to connect using the VPN client.

Must I create the access list first and have it ordered AFTER the existing ACLs? Should I append the access rule to an existing list before I create the static PAT rule? How would this be done?

Thanks!
0
Comment
Question by:chiefttimby
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 4

Accepted Solution

by:
pakitloss earned 63 total points
ID: 18022434
I always create my Access-lists, apply them to the interface then do the static. I don't remember if doing the static first is supposed to work the way you described or not. I also include the access-list entry in the same list as the direction I want to go as you stated.  

ex.
access-list inbound permit tcp 100.100.0.0 255.255.0.0 interface outside eq 22 log
access-group inbound in interface outside

static (inside, outside) tcp interface 6000 10.10.10.10 22 netmask 255.255.255.255
0
 
LVL 28

Assisted Solution

by:batry_boy
batry_boy earned 62 total points
ID: 18676282
First off, I would use a random port higher up in the allowed range to prevent from being trampled on by your PAT setup...maybe something like:

static (inside,outside) tcp interface 58956 10.10.10.10 22 netmask 255.255.255.255

I believe pakitloss specified the wrong port to be opened on the inside interface when implementing port redirection.  It should read something like this, using my above static as a reference:

access-list inbound permit tcp 100.100.0.0 255.255.0.0 interface outside eq 58956 log
access-group inbound in interface outside

The order of the ACL's doesn't matter and it doesn't really matter if you input the ACL statement first or the static first.  However, I would do a "clear xlat" after you put in the "static" statement.

Hope this helps...
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question