Solved

PIX 515 port forwarding (ssh) with existing NAT

Posted on 2006-11-27
4
1,088 Views
Last Modified: 2010-05-18
I need to allow external access (from a static network address ie. 100.100.0.0/16 and via a random static port, ie. 6000) to port 22 (ssh) on an internal server using PAT.

I currently have a PIX 515 with a dynamic NAT rule enabled, translating all outbound office traffic using the outside interface IP. I also have a dynamic IPSec policy with accompanying access-lists (including split-tunneling) operating to allow VPN connections.

When I typed in this command to get started...
static (inside, outside) tcp interface 6000 10.10.10.10 22 netmask 255.255.255.255
...all outbound web traffic was cut off, as was the ability to connect using the VPN client.

Must I create the access list first and have it ordered AFTER the existing ACLs? Should I append the access rule to an existing list before I create the static PAT rule? How would this be done?

Thanks!
0
Comment
Question by:chiefttimby
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 4

Accepted Solution

by:
pakitloss earned 63 total points
ID: 18022434
I always create my Access-lists, apply them to the interface then do the static. I don't remember if doing the static first is supposed to work the way you described or not. I also include the access-list entry in the same list as the direction I want to go as you stated.  

ex.
access-list inbound permit tcp 100.100.0.0 255.255.0.0 interface outside eq 22 log
access-group inbound in interface outside

static (inside, outside) tcp interface 6000 10.10.10.10 22 netmask 255.255.255.255
0
 
LVL 28

Assisted Solution

by:batry_boy
batry_boy earned 62 total points
ID: 18676282
First off, I would use a random port higher up in the allowed range to prevent from being trampled on by your PAT setup...maybe something like:

static (inside,outside) tcp interface 58956 10.10.10.10 22 netmask 255.255.255.255

I believe pakitloss specified the wrong port to be opened on the inside interface when implementing port redirection.  It should read something like this, using my above static as a reference:

access-list inbound permit tcp 100.100.0.0 255.255.0.0 interface outside eq 58956 log
access-group inbound in interface outside

The order of the ACL's doesn't matter and it doesn't really matter if you input the ACL statement first or the static first.  However, I would do a "clear xlat" after you put in the "static" statement.

Hope this helps...
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question