Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1275
  • Last Modified:

Cisco Pix - adding sftp 22

I need to allow incoming and outgoing sftp (port 22) traffic to my Cisco Pix Firewall (Version 4.2(3).  The traffic only needs to go to our DMZ server which the outside address is AA and inside address is BB.

I've tried going into "config t" and typing "conduit permit tcp host AA eq 22 any" but it gave an error message back.  I don't edit firewalls often so I've hit a brick wall so I thought I'd post here to the experts.  Thanks for the advice in advance.

Below is the config with a few AA's, BB's to protect the real IP addresses.  How and what do I need to add to allow sftp to the DMZ incoming and outgoing?

fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
names
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address DMZ1 0.0.0.0
failover ip address PER_2 0.0.0.0
pager lines 24
no logging console
logging monitor warnings
no logging buffered
no logging trap
logging facility 20
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 100basetx
ip address outside VV 255.255.255.240
ip address inside WW.1.9 255.255.0.0
ip address DMZ1 BB.1 255.255.255.0
ip address PER_2 WW.1.27 255.255.255.0
arp timeout 14400
global (outside) 1 UU-UU netmask 255.255.255.240
nat (inside) 10 255.255.0.0 255.255.0.0 0 0
nat (inside) 10 255.255.255.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) XX WW.1.10 netmask 255.255.255.255 0 0
static (inside,DMZ1) WW.1.0 WW.1.0 netmask 255.255.255.0 0 0
static (DMZ1,outside) AA BB.14 netmask 255.255.255.255 0 0
static (inside,DMZ1) WW.0.0 WW.0.0 netmask 255.255.0.0 0 0
conduit permit tcp UU 255.255.255.240 any eq ftp
conduit permit tcp host UU eq ftp any
conduit permit icmp host AA any
conduit permit tcp WW.0.0 255.255.0.0 eq WW.1w host BB.14
conduit permit tcp WW.0.0 255.255.0.0 eq 443 host BB.14
conduit permit tcp host AA eq WW.1w any
conduit permit icmp any any
conduit permit tcp WW.0.0 255.255.0.0 eq 3389 host BB.14
conduit permit tcp host WW.1.11 any
conduit permit tcp host AA eq ftp any
conduit permit tcp host AA eq 443 any
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
no rip DMZ1 passive
no rip DMZ1 default
no rip PER_2 passive
no rip PER_2 default
route outside 0.0.0.0 0.0.0.0 ZZ 1
timeout xlate 3:00:00 conn 1:00:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet WW.1.75 255.255.255.255
telnet WW.1.0 255.255.255.0
telnet WW.0.0 255.255.0.0
telnet timeout 15
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu PER_2 1500
floodguard 1
0
abcbev
Asked:
abcbev
  • 4
1 Solution
 
Matt VCommented:
What was the error message?
0
 
mittermuellerCommented:
From cisco site:
Q. Is SFTP supported through the PIX?

    A. No. In a typical FTP connection, either the client or the server must tell the other what port to use for data transfer. The PIX is able to inspect this conversation and open that port. However, with SFTP this conversation is encrypted and the PIX is unable to determine what ports to open and the SFTP connection ultimately fails.

    One possible workaround in this situation is to use an SFTP client that supports the use of a "clear data channel." With this option enabled, the PIX should be able to determine what port needs to be opened.
0
 
abcbevAuthor Commented:
I just tried in "config t" typing "conduit permit tcp host AA eq 22 any" and it worked (without the quotes).  I'm testing to see if the port is opened up once I can get to an external machine.  Should I need to add anything else so the DMZ server can have incoming and outgoing SFTP traffic (port 22)?
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
abcbevAuthor Commented:
My external IP tester says that 22 is filtered, 21 is open.  I must be missing something simple.  Is it maybe related to what mittermueller is saying above?  I see the "conduit permit tcp host (external DMZ address) eq 22 any".  but there aren't any other conduit permit statements with a double digit port, all have four digit ports.
0
 
abcbevAuthor Commented:
Mittermueller,  ourselves and the other company are fine with just using the standard port 22.
0
 
abcbevAuthor Commented:
solved the problem on my own.  question activity was dead anyways.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now