Cisco Pix - adding sftp 22
I need to allow incoming and outgoing sftp (port 22) traffic to my Cisco Pix Firewall (Version 4.2(3). The traffic only needs to go to our DMZ server which the outside address is AA and inside address is BB.
I've tried going into "config t" and typing "conduit permit tcp host AA eq 22 any" but it gave an error message back. I don't edit firewalls often so I've hit a brick wall so I thought I'd post here to the experts. Thanks for the advice in advance.
Below is the config with a few AA's, BB's to protect the real IP addresses. How and what do I need to add to allow sftp to the DMZ incoming and outgoing?
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
names
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address DMZ1 0.0.0.0
failover ip address PER_2 0.0.0.0
pager lines 24
no logging console
logging monitor warnings
no logging buffered
no logging trap
logging facility 20
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 100basetx
ip address outside VV 255.255.255.240
ip address inside WW.1.9 255.255.0.0
ip address DMZ1 BB.1 255.255.255.0
ip address PER_2 WW.1.27 255.255.255.0
arp timeout 14400
global (outside) 1 UU-UU netmask 255.255.255.240
nat (inside) 10 255.255.0.0 255.255.0.0 0 0
nat (inside) 10 255.255.255.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) XX WW.1.10 netmask 255.255.255.255 0 0
static (inside,DMZ1) WW.1.0 WW.1.0 netmask 255.255.255.0 0 0
static (DMZ1,outside) AA BB.14 netmask 255.255.255.255 0 0
static (inside,DMZ1) WW.0.0 WW.0.0 netmask 255.255.0.0 0 0
conduit permit tcp UU 255.255.255.240 any eq ftp
conduit permit tcp host UU eq ftp any
conduit permit icmp host AA any
conduit permit tcp WW.0.0 255.255.0.0 eq WW.1w host BB.14
conduit permit tcp WW.0.0 255.255.0.0 eq 443 host BB.14
conduit permit tcp host AA eq WW.1w any
conduit permit icmp any any
conduit permit tcp WW.0.0 255.255.0.0 eq 3389 host BB.14
conduit permit tcp host WW.1.11 any
conduit permit tcp host AA eq ftp any
conduit permit tcp host AA eq 443 any
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
no rip DMZ1 passive
no rip DMZ1 default
no rip PER_2 passive
no rip PER_2 default
route outside 0.0.0.0 0.0.0.0 ZZ 1
timeout xlate 3:00:00 conn 1:00:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet WW.1.75 255.255.255.255
telnet WW.1.0 255.255.255.0
telnet WW.0.0 255.255.0.0
telnet timeout 15
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu PER_2 1500
floodguard 1
I've tried going into "config t" and typing "conduit permit tcp host AA eq 22 any" but it gave an error message back. I don't edit firewalls often so I've hit a brick wall so I thought I'd post here to the experts. Thanks for the advice in advance.
Below is the config with a few AA's, BB's to protect the real IP addresses. How and what do I need to add to allow sftp to the DMZ incoming and outgoing?
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
names
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address DMZ1 0.0.0.0
failover ip address PER_2 0.0.0.0
pager lines 24
no logging console
logging monitor warnings
no logging buffered
no logging trap
logging facility 20
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 100basetx
ip address outside VV 255.255.255.240
ip address inside WW.1.9 255.255.0.0
ip address DMZ1 BB.1 255.255.255.0
ip address PER_2 WW.1.27 255.255.255.0
arp timeout 14400
global (outside) 1 UU-UU netmask 255.255.255.240
nat (inside) 10 255.255.0.0 255.255.0.0 0 0
nat (inside) 10 255.255.255.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) XX WW.1.10 netmask 255.255.255.255 0 0
static (inside,DMZ1) WW.1.0 WW.1.0 netmask 255.255.255.0 0 0
static (DMZ1,outside) AA BB.14 netmask 255.255.255.255 0 0
static (inside,DMZ1) WW.0.0 WW.0.0 netmask 255.255.0.0 0 0
conduit permit tcp UU 255.255.255.240 any eq ftp
conduit permit tcp host UU eq ftp any
conduit permit icmp host AA any
conduit permit tcp WW.0.0 255.255.0.0 eq WW.1w host BB.14
conduit permit tcp WW.0.0 255.255.0.0 eq 443 host BB.14
conduit permit tcp host AA eq WW.1w any
conduit permit icmp any any
conduit permit tcp WW.0.0 255.255.0.0 eq 3389 host BB.14
conduit permit tcp host WW.1.11 any
conduit permit tcp host AA eq ftp any
conduit permit tcp host AA eq 443 any
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
no rip DMZ1 passive
no rip DMZ1 default
no rip PER_2 passive
no rip PER_2 default
route outside 0.0.0.0 0.0.0.0 ZZ 1
timeout xlate 3:00:00 conn 1:00:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet WW.1.75 255.255.255.255
telnet WW.1.0 255.255.255.0
telnet WW.0.0 255.255.0.0
telnet timeout 15
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu PER_2 1500
floodguard 1
Matt V
What was the error message?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I just tried in "config t" typing "conduit permit tcp host AA eq 22 any" and it worked (without the quotes). I'm testing to see if the port is opened up once I can get to an external machine. Should I need to add anything else so the DMZ server can have incoming and outgoing SFTP traffic (port 22)?
ASKER
My external IP tester says that 22 is filtered, 21 is open. I must be missing something simple. Is it maybe related to what mittermueller is saying above? I see the "conduit permit tcp host (external DMZ address) eq 22 any". but there aren't any other conduit permit statements with a double digit port, all have four digit ports.
ASKER
Mittermueller, ourselves and the other company are fine with just using the standard port 22.
ASKER
solved the problem on my own. question activity was dead anyways.