Solved

PIX 515 SSH access

Posted on 2008-06-11
10
1,999 Views
Last Modified: 2012-08-13
I am trying to allow a vendor SSH access to a server on my network, below is the config.  Any ideas greatly appreciated.  Server IP address = 1.2.3.4 and is on my internal network.

access_list outside_access_in permit tcp any host 1.2.3.4 eq ssh
access_list inside_access_out permit tcp any any eq ssh
static (inside, outside) 1.2.3.0 1.2.3.0 netmask 255.255.255.0 0 0
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
0
Comment
Question by:KCHDIT
  • 5
  • 5
10 Comments
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21764197
The config sample is a bit too limited to give you exact answers.

First, if you are using Nat, you need to change the "access_list outside_access_in permit tcp any host 1.2.3.4 eq ssh" to use the outside IP of the server not its internal IP.

Also the "static (inside, outside) 1.2.3.0 1.2.3.0 netmask 255.255.255.0 0 0" is not going to do anything. You need to configure IP's on diicfferent subnets for a stat translation.

something like
"static (inside, outside) x.x.x.a y.y.y.b netmask 255.255.255.255 0 0"

Lastly, lathe "ssh 0.0.0.0 0.0.0.0 outside" command configured you pix for ssh access, unless your server has a static translation for its own IP address(looks like thats what you are attempting) you should be ok. However if you are trying to use your outside interface IP you will find yourself unable to use port 22 and will have to use a PAT transition using a different outside port(can still map to port 22 on the inside however)

example:
"static (inside,outside) tcp interface 23 y.y.y.b 22 netmask 255.255.255.255"

If you still have trouble post your full config(minus sensitive information like passwords) for further inspection.
0
 

Author Comment

by:KCHDIT
ID: 21798452
Here is my full config:

Basically I have the two entries to allow SSH to this specific server and have the commands as stated above.  My goal is to allow my vendor to access a specific server via SSH.  Thanks!

PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 stateful security99
enable password xxxxxxx
passwd xxxxxxxxxxxx
hostname xxxxxxxx
domain-name xxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names        
access-list nonat permit ip x.x.69.0 255.255.255.0 any
access-list nonat permit ip x.x.70.0 255.255.255.0 any
access-list nonat permit ip x.x.71.0 255.255.255.0 any
;access-list outside_access_in permit ip x.x.19.0 255.255.255.0 x.x.69.0 255.255.255.0
;access-list outside_access_in permit ip x.x.30.0 255.255.255.0 x.x.29.0 255.255.255.0
;access-list outside_access_in permit ip x.x.30.0 255.255.255.0 x.x.69.0 255.255.255.0
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any echo
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit ip x.x.13.50 x.x.13.50 x.x.29.0 255.255.255.0
access-list outside_access_in permit ip x.x.11.163 x.x.11.163 x.x.29.0 255.255.255.0
access-list outside_access_in permit ip x.x.11.169 x.x.11.169 x.x.29.0 255.255.255.0
access-list outside_access_in permit ip x.x.16.150 x.x.16.150 x.x.29.0 255.255.255.0
;access-list outside_access_in permit ip x.x.19.0 255.255.255.0 x.x.70.0 255.255.255.0
;access-list outside_access_in permit ip x.x.30.0 255.255.255.0 x.x.70.0 255.255.255.0
access-list outside_access_in permit ip x.x.11.163 x.x.11.163 x.x.69.0 255.255.255.0
access-list outside_access_in permit ip x.x.11.163 x.x.11.163 x.x.70.0 255.255.255.0
access-list outside_access_in permit ip x.x.11.163 x.x.11.163 x.x.71.0 255.255.255.0
access-list outside_access_in permit ip x.x.11.169 x.x.11.169 x.x.69.0 255.255.255.0
access-list outside_access_in permit ip x.x.11.169 x.x.11.169 x.x.70.0 255.255.255.0
access-list outside_access_in permit ip x.x.11.169 x.x.11.169 x.x.71.0 255.255.255.0
access-list outside_access_in permit ip x.x.13.50 x.x.13.50 x.x.69.0 255.255.255.0
access-list outside_access_in permit ip x.x.13.50 x.x.13.50 x.x.70.0 255.255.255.0
access-list outside_access_in permit ip x.x.13.50 x.x.13.50 x.x.71.0 255.255.255.0
access-list outside_access_in permit ip x.x.13.52 x.x.13.52 x.x.29.0 255.255.255.0
access-list outside_access_in permit ip x.x.13.52 x.x.13.52 x.x.69.0 255.255.255.0
access-list outside_access_in permit ip x.x.13.52 x.x.13.52 x.x.70.0 255.255.255.0
access-list outside_access_in permit ip x.x.13.52 x.x.13.52 x.x.71.0 255.255.255.0
access-list outside_access_in permit ip x.x.16.150 x.x.16.150 x.x.69.0 255.255.255.0
access-list outside_access_in permit ip x.x.16.150 x.x.16.150 x.x.70.0 255.255.255.0
access-list outside_access_in permit ip x.x.16.150 x.x.16.150 x.x.71.0 255.255.255.0
access-list outside_access_in permit ip x.x.59.186 x.x.59.186 x.x.69.0 255.255.255.0
access-list outside_access_in permit ip x.x.59.186 x.x.59.186 x.x.70.0 255.255.255.0
access-list outside_access_in permit ip x.x.59.186 x.x.59.186 x.x.71.0 255.255.255.0
access-list outside_access_in permit ip x.x.59.186 x.x.59.186 x.x.29.0 255.255.255.0
access-list outside_access_in permit tcp any gt 1023 host x.x.70.6 eq smtp
access-list outside_access_in permit tcp host x.x.204.1 host x.x.69.211 eq www
access-list outside_access_in permit udp host x.x.204.1 host x.x.69.211 eq netbios-ns
access-list outside_access_in deny tcp any any eq 135
access-list outside_access_in deny tcp any any eq netbios-ssn
access-list outside_access_in deny udp any any eq netbios-ns
access-list outside_access_in deny udp any any eq netbios-dgm
access-list outside_access_in deny udp any any eq 139
access-list outside_access_in deny udp any any eq tftp
access-list outside_access_in deny tcp any any eq 138
access-list outside_access_in deny tcp any any eq 593
access-list outside_access_in deny tcp any any eq 4444
access-list outside_access_in deny udp any any eq 135
access-list outside_access_in deny udp any any eq 8998
access-list outside_access_in deny udp any any eq 445
access-list outside_access_in deny udp any any eq 1434
access-list outside_access_in deny tcp any any eq 445
access-list outside_access_in deny tcp any any eq 5554
access-list outside_access_in deny tcp any any eq 9996
access-list outside_access_in deny tcp any any eq 1022
access-list outside_access_in deny tcp any any eq 1023
;access-list outside_access_in permit ip host x.x.69.217 host x.x.70.8
access-list outside_access_in permit tcp host x.x.204.1 host x.x.69.212 eq https
access-list outside_access_in permit tcp host x.x.204.1 host x.x.69.212 eq www
access-list outside_access_in permit tcp any host x.x.70.19 eq ssh
access-list outside_access_in permit tcp any host x.x.70.17 eq ssh
access-list inside_access_out deny ip any host x.x.x.240
access-list inside_access_out deny udp any any eq 135
access-list inside_access_out deny udp any any eq 8998
access-list inside_access_out deny tcp any any eq 5554
access-list inside_access_out deny tcp any any eq 9996
access-list inside_access_out deny tcp any any eq 1022
access-list inside_access_out deny tcp any any eq 1023
access-list inside_access_out permit ip any any
access-list inside_access_out permit tcp any any eq 3101
access-list dmz_access_in permit tcp host x.x.69.211 host x.x.70.7 eq www
access-list dmz_access_in permit ip host x.x.69.211 host x.x.70.7
access-list dmz_access_in permit tcp host x.x.69.211 host x.x.204.1 eq www
access-list dmz_access_in permit ip host x.x.69.211 host x.x.204.1
access-list dmz_access_in permit tcp host x.x.69.211 host x.x.29.9 eq 1829
access-list dmz_access_in permit ip host x.x.69.211 host x.x.70.1
access-list dmz_access_in permit tcp host x.x.69.211 host x.x.70.12 eq www      
access-list dmz_access_in permit ip host x.x.69.211 host x.x.70.12
;access-list 101 permit ip host x.x.70.5 host x.x.x.74
pager lines 24
logging on
logging trap notifications
logging host inside x.x.70.8
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 100full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu intf3 1500
mtu intf4 1500
mtu stateful 1500
ip address outside x.x.69.218 255.255.255.248
ip address inside 10.0.0.1 255.255.255.0
ip address dmz x.x.69.209 255.255.255.248
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address stateful 10.50.50.1 255.255.255.252
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside x.x.69.219
failover ip address inside 10.0.0.2
failover ip address dmz x.x.69.210
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address stateful 10.50.50.2
failover link stateful
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 10.0.0.0 255.255.255.0 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) x.x.29.0 x.x.29.0 netmask 255.255.255.0 0 0
static (inside,outside) x.x.69.0 x.x.69.0 netmask 255.255.255.128 0 0
static (inside,outside) x.x.69.128 x.x.69.128 netmask 255.255.255.192 0 0
static (inside,outside) x.x.69.192 x.x.69.192 netmask 255.255.255.240 0 0
static (inside,outside) x.x.69.224 x.x.69.224 netmask 255.255.255.224 0 0
static (inside,outside) x.x.70.0 x.x.70.0 netmask 255.255.255.0 0 0
static (inside,outside) x.x.71.0 x.x.71.0 netmask 255.255.255.0 0 0
static (dmz,outside) x.x.69.211 x.x.69.211 netmask 255.255.255.255 0 0
static (dmz,outside) x.x.69.212 x.x.69.212 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.1 x.x.70.1 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.6 x.x.70.6 netmask 255.255.255.255 0 0  
static (inside,dmz) x.x.70.7 x.x.70.7 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.12 x.x.70.12 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.201 x.x.70.201 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.203 x.x.70.203 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.204 x.x.70.204 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.205 x.x.70.205 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.212 x.x.70.212 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.213 x.x.70.213 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.214 x.x.70.214 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.217 x.x.70.217 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.207 x.x.70.207 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_out in interface inside
access-group dmz_access_in in interface dmz
established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0
rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 x.x.69.217 1
route inside x.x.69.0 255.255.255.0 10.0.0.254 1
route inside x.x.70.0 255.255.255.0 10.0.0.254 1
route inside x.x.71.0 255.255.255.0 10.0.0.254 1
route inside 192.168.1.0 255.255.255.0 10.0.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
;crypto ipsec transform-set Medease esp-3des esp-md5-hmac
;crypto map Medease 10 ipsec-isakmp
;crypto map Medease 10 match address 101
;crypto map Medease 10 set peer x.x.x.73
;crypto map Medease 10 set transform-set Medease
;crypto map Medease interface outside
;isakmp enable outside
;isakmp key ******** address x.x.x.73 netmask 255.255.255.255
;isakmp identity address
;isakmp policy 10 authentication pre-share
;isakmp policy 10 encryption 3des
;isakmp policy 10 hash md5
;isakmp policy 10 group 2
;isakmp policy 10 lifetime 28800
telnet x.x.70.203 255.255.255.255 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
terminal width 132
Cryptochecksum:46632dac0511ec1a044c1467e62f26fa
: end        
0
 

Author Comment

by:KCHDIT
ID: 21805791
Increasing Point value.  Really need a resolution.  Thanks!
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 6

Expert Comment

by:raptorjb007
ID: 21808513
Judging by the following:

access-list outside_access_in permit tcp any host x.x.70.19 eq ssh
access-list outside_access_in permit tcp any host x.x.70.17 eq ssh
static (inside,outside) x.x.70.0 x.x.70.0 netmask 255.255.255.0 0 0
route inside x.x.70.0 255.255.255.0 10.0.0.254 1

You simply wish to have the traffic forwarded to their next-hop 10.0.0.254. Assuming 10.0.0.254 is properly configured your current config should work.

Is the device 10.0.0.254 performing NAT on the traffic?
0
 

Author Comment

by:KCHDIT
ID: 21824515
No 10.0.0.254 is not performing NAT.  It is a router port on my 3600 inside my firewall.  Here is the config for that in case there is something I am missing.  Thanks for the assistance.

interface fastethernet1/1
ip address 10.0.0.254 255.255.255.0
speed 100
full-duplex

router eigrp 1
network 10.0.0.0
network a.b.0.0
network c.d.0.0
network 192.168.0.0
no auto-summary
no eigrp log-neighbor-changes

ipclassless
ip route 0.0.0.0 0.0.0.0 10.0.0.1 250
ip route a.b.29.0 255.255.255.0 a.b.70.250
ip route a.b.71.0 255.255.255.0 a.b.70.250
ip route 192.168.1.0 255.255.255.0 10.0.0.3
no ip http server

So should my current config be working?  I don't see anything I am missing, so any help greatly appreciated.  Thanks!
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21834864
I notice you do not have a route on the 3600 for the x.x.70.0/24 network and the default route is sending traffic back to the ASA. Try adding the route for the x.x.70.0/24 network to fix this routing loop.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21884478
Were you able to resolve this issue?
0
 

Author Comment

by:KCHDIT
ID: 21964976
Thanks for checking.  No, this is still not resolved.  I am going to remove the 3600, but with the EIGRP routes, the other routes are not even needed so that would not be the solution.  Still working on it, any other ideas?  Thanks!
0
 
LVL 6

Accepted Solution

by:
raptorjb007 earned 500 total points
ID: 22039923
Your router would still need a route for the network in question or it will default back to the default route.

Try adding a static route for the x.x.70.0/24 network on the router.
0
 

Author Comment

by:KCHDIT
ID: 22133414
Solution was to completely delete all SSH from my PIX and restart from scratch.  There must have been conflicting commands in the config above.  I deleted every SSH entry I could find and started building SSH in like I would if I were just building a PIX box.  Entered just the basic commands needed and it is working fine now.  Raptorjb007, thanks for all your help.  I appreciate your time.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question