Solved

PIX 515 SSH access

Posted on 2008-06-11
10
1,971 Views
Last Modified: 2012-08-13
I am trying to allow a vendor SSH access to a server on my network, below is the config.  Any ideas greatly appreciated.  Server IP address = 1.2.3.4 and is on my internal network.

access_list outside_access_in permit tcp any host 1.2.3.4 eq ssh
access_list inside_access_out permit tcp any any eq ssh
static (inside, outside) 1.2.3.0 1.2.3.0 netmask 255.255.255.0 0 0
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
0
Comment
Question by:KCHDIT
  • 5
  • 5
10 Comments
 
LVL 6

Expert Comment

by:raptorjb007
Comment Utility
The config sample is a bit too limited to give you exact answers.

First, if you are using Nat, you need to change the "access_list outside_access_in permit tcp any host 1.2.3.4 eq ssh" to use the outside IP of the server not its internal IP.

Also the "static (inside, outside) 1.2.3.0 1.2.3.0 netmask 255.255.255.0 0 0" is not going to do anything. You need to configure IP's on diicfferent subnets for a stat translation.

something like
"static (inside, outside) x.x.x.a y.y.y.b netmask 255.255.255.255 0 0"

Lastly, lathe "ssh 0.0.0.0 0.0.0.0 outside" command configured you pix for ssh access, unless your server has a static translation for its own IP address(looks like thats what you are attempting) you should be ok. However if you are trying to use your outside interface IP you will find yourself unable to use port 22 and will have to use a PAT transition using a different outside port(can still map to port 22 on the inside however)

example:
"static (inside,outside) tcp interface 23 y.y.y.b 22 netmask 255.255.255.255"

If you still have trouble post your full config(minus sensitive information like passwords) for further inspection.
0
 

Author Comment

by:KCHDIT
Comment Utility
Here is my full config:

Basically I have the two entries to allow SSH to this specific server and have the commands as stated above.  My goal is to allow my vendor to access a specific server via SSH.  Thanks!

PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 stateful security99
enable password xxxxxxx
passwd xxxxxxxxxxxx
hostname xxxxxxxx
domain-name xxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names        
access-list nonat permit ip x.x.69.0 255.255.255.0 any
access-list nonat permit ip x.x.70.0 255.255.255.0 any
access-list nonat permit ip x.x.71.0 255.255.255.0 any
;access-list outside_access_in permit ip x.x.19.0 255.255.255.0 x.x.69.0 255.255.255.0
;access-list outside_access_in permit ip x.x.30.0 255.255.255.0 x.x.29.0 255.255.255.0
;access-list outside_access_in permit ip x.x.30.0 255.255.255.0 x.x.69.0 255.255.255.0
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any echo
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit ip x.x.13.50 x.x.13.50 x.x.29.0 255.255.255.0
access-list outside_access_in permit ip x.x.11.163 x.x.11.163 x.x.29.0 255.255.255.0
access-list outside_access_in permit ip x.x.11.169 x.x.11.169 x.x.29.0 255.255.255.0
access-list outside_access_in permit ip x.x.16.150 x.x.16.150 x.x.29.0 255.255.255.0
;access-list outside_access_in permit ip x.x.19.0 255.255.255.0 x.x.70.0 255.255.255.0
;access-list outside_access_in permit ip x.x.30.0 255.255.255.0 x.x.70.0 255.255.255.0
access-list outside_access_in permit ip x.x.11.163 x.x.11.163 x.x.69.0 255.255.255.0
access-list outside_access_in permit ip x.x.11.163 x.x.11.163 x.x.70.0 255.255.255.0
access-list outside_access_in permit ip x.x.11.163 x.x.11.163 x.x.71.0 255.255.255.0
access-list outside_access_in permit ip x.x.11.169 x.x.11.169 x.x.69.0 255.255.255.0
access-list outside_access_in permit ip x.x.11.169 x.x.11.169 x.x.70.0 255.255.255.0
access-list outside_access_in permit ip x.x.11.169 x.x.11.169 x.x.71.0 255.255.255.0
access-list outside_access_in permit ip x.x.13.50 x.x.13.50 x.x.69.0 255.255.255.0
access-list outside_access_in permit ip x.x.13.50 x.x.13.50 x.x.70.0 255.255.255.0
access-list outside_access_in permit ip x.x.13.50 x.x.13.50 x.x.71.0 255.255.255.0
access-list outside_access_in permit ip x.x.13.52 x.x.13.52 x.x.29.0 255.255.255.0
access-list outside_access_in permit ip x.x.13.52 x.x.13.52 x.x.69.0 255.255.255.0
access-list outside_access_in permit ip x.x.13.52 x.x.13.52 x.x.70.0 255.255.255.0
access-list outside_access_in permit ip x.x.13.52 x.x.13.52 x.x.71.0 255.255.255.0
access-list outside_access_in permit ip x.x.16.150 x.x.16.150 x.x.69.0 255.255.255.0
access-list outside_access_in permit ip x.x.16.150 x.x.16.150 x.x.70.0 255.255.255.0
access-list outside_access_in permit ip x.x.16.150 x.x.16.150 x.x.71.0 255.255.255.0
access-list outside_access_in permit ip x.x.59.186 x.x.59.186 x.x.69.0 255.255.255.0
access-list outside_access_in permit ip x.x.59.186 x.x.59.186 x.x.70.0 255.255.255.0
access-list outside_access_in permit ip x.x.59.186 x.x.59.186 x.x.71.0 255.255.255.0
access-list outside_access_in permit ip x.x.59.186 x.x.59.186 x.x.29.0 255.255.255.0
access-list outside_access_in permit tcp any gt 1023 host x.x.70.6 eq smtp
access-list outside_access_in permit tcp host x.x.204.1 host x.x.69.211 eq www
access-list outside_access_in permit udp host x.x.204.1 host x.x.69.211 eq netbios-ns
access-list outside_access_in deny tcp any any eq 135
access-list outside_access_in deny tcp any any eq netbios-ssn
access-list outside_access_in deny udp any any eq netbios-ns
access-list outside_access_in deny udp any any eq netbios-dgm
access-list outside_access_in deny udp any any eq 139
access-list outside_access_in deny udp any any eq tftp
access-list outside_access_in deny tcp any any eq 138
access-list outside_access_in deny tcp any any eq 593
access-list outside_access_in deny tcp any any eq 4444
access-list outside_access_in deny udp any any eq 135
access-list outside_access_in deny udp any any eq 8998
access-list outside_access_in deny udp any any eq 445
access-list outside_access_in deny udp any any eq 1434
access-list outside_access_in deny tcp any any eq 445
access-list outside_access_in deny tcp any any eq 5554
access-list outside_access_in deny tcp any any eq 9996
access-list outside_access_in deny tcp any any eq 1022
access-list outside_access_in deny tcp any any eq 1023
;access-list outside_access_in permit ip host x.x.69.217 host x.x.70.8
access-list outside_access_in permit tcp host x.x.204.1 host x.x.69.212 eq https
access-list outside_access_in permit tcp host x.x.204.1 host x.x.69.212 eq www
access-list outside_access_in permit tcp any host x.x.70.19 eq ssh
access-list outside_access_in permit tcp any host x.x.70.17 eq ssh
access-list inside_access_out deny ip any host x.x.x.240
access-list inside_access_out deny udp any any eq 135
access-list inside_access_out deny udp any any eq 8998
access-list inside_access_out deny tcp any any eq 5554
access-list inside_access_out deny tcp any any eq 9996
access-list inside_access_out deny tcp any any eq 1022
access-list inside_access_out deny tcp any any eq 1023
access-list inside_access_out permit ip any any
access-list inside_access_out permit tcp any any eq 3101
access-list dmz_access_in permit tcp host x.x.69.211 host x.x.70.7 eq www
access-list dmz_access_in permit ip host x.x.69.211 host x.x.70.7
access-list dmz_access_in permit tcp host x.x.69.211 host x.x.204.1 eq www
access-list dmz_access_in permit ip host x.x.69.211 host x.x.204.1
access-list dmz_access_in permit tcp host x.x.69.211 host x.x.29.9 eq 1829
access-list dmz_access_in permit ip host x.x.69.211 host x.x.70.1
access-list dmz_access_in permit tcp host x.x.69.211 host x.x.70.12 eq www      
access-list dmz_access_in permit ip host x.x.69.211 host x.x.70.12
;access-list 101 permit ip host x.x.70.5 host x.x.x.74
pager lines 24
logging on
logging trap notifications
logging host inside x.x.70.8
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 100full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu intf3 1500
mtu intf4 1500
mtu stateful 1500
ip address outside x.x.69.218 255.255.255.248
ip address inside 10.0.0.1 255.255.255.0
ip address dmz x.x.69.209 255.255.255.248
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address stateful 10.50.50.1 255.255.255.252
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside x.x.69.219
failover ip address inside 10.0.0.2
failover ip address dmz x.x.69.210
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address stateful 10.50.50.2
failover link stateful
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 10.0.0.0 255.255.255.0 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) x.x.29.0 x.x.29.0 netmask 255.255.255.0 0 0
static (inside,outside) x.x.69.0 x.x.69.0 netmask 255.255.255.128 0 0
static (inside,outside) x.x.69.128 x.x.69.128 netmask 255.255.255.192 0 0
static (inside,outside) x.x.69.192 x.x.69.192 netmask 255.255.255.240 0 0
static (inside,outside) x.x.69.224 x.x.69.224 netmask 255.255.255.224 0 0
static (inside,outside) x.x.70.0 x.x.70.0 netmask 255.255.255.0 0 0
static (inside,outside) x.x.71.0 x.x.71.0 netmask 255.255.255.0 0 0
static (dmz,outside) x.x.69.211 x.x.69.211 netmask 255.255.255.255 0 0
static (dmz,outside) x.x.69.212 x.x.69.212 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.1 x.x.70.1 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.6 x.x.70.6 netmask 255.255.255.255 0 0  
static (inside,dmz) x.x.70.7 x.x.70.7 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.12 x.x.70.12 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.201 x.x.70.201 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.203 x.x.70.203 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.204 x.x.70.204 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.205 x.x.70.205 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.212 x.x.70.212 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.213 x.x.70.213 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.214 x.x.70.214 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.217 x.x.70.217 netmask 255.255.255.255 0 0
static (inside,dmz) x.x.70.207 x.x.70.207 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_out in interface inside
access-group dmz_access_in in interface dmz
established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0
rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 x.x.69.217 1
route inside x.x.69.0 255.255.255.0 10.0.0.254 1
route inside x.x.70.0 255.255.255.0 10.0.0.254 1
route inside x.x.71.0 255.255.255.0 10.0.0.254 1
route inside 192.168.1.0 255.255.255.0 10.0.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
;crypto ipsec transform-set Medease esp-3des esp-md5-hmac
;crypto map Medease 10 ipsec-isakmp
;crypto map Medease 10 match address 101
;crypto map Medease 10 set peer x.x.x.73
;crypto map Medease 10 set transform-set Medease
;crypto map Medease interface outside
;isakmp enable outside
;isakmp key ******** address x.x.x.73 netmask 255.255.255.255
;isakmp identity address
;isakmp policy 10 authentication pre-share
;isakmp policy 10 encryption 3des
;isakmp policy 10 hash md5
;isakmp policy 10 group 2
;isakmp policy 10 lifetime 28800
telnet x.x.70.203 255.255.255.255 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
terminal width 132
Cryptochecksum:46632dac0511ec1a044c1467e62f26fa
: end        
0
 

Author Comment

by:KCHDIT
Comment Utility
Increasing Point value.  Really need a resolution.  Thanks!
0
 
LVL 6

Expert Comment

by:raptorjb007
Comment Utility
Judging by the following:

access-list outside_access_in permit tcp any host x.x.70.19 eq ssh
access-list outside_access_in permit tcp any host x.x.70.17 eq ssh
static (inside,outside) x.x.70.0 x.x.70.0 netmask 255.255.255.0 0 0
route inside x.x.70.0 255.255.255.0 10.0.0.254 1

You simply wish to have the traffic forwarded to their next-hop 10.0.0.254. Assuming 10.0.0.254 is properly configured your current config should work.

Is the device 10.0.0.254 performing NAT on the traffic?
0
 

Author Comment

by:KCHDIT
Comment Utility
No 10.0.0.254 is not performing NAT.  It is a router port on my 3600 inside my firewall.  Here is the config for that in case there is something I am missing.  Thanks for the assistance.

interface fastethernet1/1
ip address 10.0.0.254 255.255.255.0
speed 100
full-duplex

router eigrp 1
network 10.0.0.0
network a.b.0.0
network c.d.0.0
network 192.168.0.0
no auto-summary
no eigrp log-neighbor-changes

ipclassless
ip route 0.0.0.0 0.0.0.0 10.0.0.1 250
ip route a.b.29.0 255.255.255.0 a.b.70.250
ip route a.b.71.0 255.255.255.0 a.b.70.250
ip route 192.168.1.0 255.255.255.0 10.0.0.3
no ip http server

So should my current config be working?  I don't see anything I am missing, so any help greatly appreciated.  Thanks!
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 6

Expert Comment

by:raptorjb007
Comment Utility
I notice you do not have a route on the 3600 for the x.x.70.0/24 network and the default route is sending traffic back to the ASA. Try adding the route for the x.x.70.0/24 network to fix this routing loop.
0
 
LVL 6

Expert Comment

by:raptorjb007
Comment Utility
Were you able to resolve this issue?
0
 

Author Comment

by:KCHDIT
Comment Utility
Thanks for checking.  No, this is still not resolved.  I am going to remove the 3600, but with the EIGRP routes, the other routes are not even needed so that would not be the solution.  Still working on it, any other ideas?  Thanks!
0
 
LVL 6

Accepted Solution

by:
raptorjb007 earned 500 total points
Comment Utility
Your router would still need a route for the network in question or it will default back to the default route.

Try adding a static route for the x.x.70.0/24 network on the router.
0
 

Author Comment

by:KCHDIT
Comment Utility
Solution was to completely delete all SSH from my PIX and restart from scratch.  There must have been conflicting commands in the config above.  I deleted every SSH entry I could find and started building SSH in like I would if I were just building a PIX box.  Entered just the basic commands needed and it is working fine now.  Raptorjb007, thanks for all your help.  I appreciate your time.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now