Solved

Cisco Pix - adding sftp 22

Posted on 2010-09-07
6
1,222 Views
Last Modified: 2012-05-10
I need to allow incoming and outgoing sftp (port 22) traffic to my Cisco Pix Firewall (Version 4.2(3).  The traffic only needs to go to our DMZ server which the outside address is AA and inside address is BB.

I've tried going into "config t" and typing "conduit permit tcp host AA eq 22 any" but it gave an error message back.  I don't edit firewalls often so I've hit a brick wall so I thought I'd post here to the experts.  Thanks for the advice in advance.

Below is the config with a few AA's, BB's to protect the real IP addresses.  How and what do I need to add to allow sftp to the DMZ incoming and outgoing?

fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
names
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address DMZ1 0.0.0.0
failover ip address PER_2 0.0.0.0
pager lines 24
no logging console
logging monitor warnings
no logging buffered
no logging trap
logging facility 20
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 100basetx
ip address outside VV 255.255.255.240
ip address inside WW.1.9 255.255.0.0
ip address DMZ1 BB.1 255.255.255.0
ip address PER_2 WW.1.27 255.255.255.0
arp timeout 14400
global (outside) 1 UU-UU netmask 255.255.255.240
nat (inside) 10 255.255.0.0 255.255.0.0 0 0
nat (inside) 10 255.255.255.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) XX WW.1.10 netmask 255.255.255.255 0 0
static (inside,DMZ1) WW.1.0 WW.1.0 netmask 255.255.255.0 0 0
static (DMZ1,outside) AA BB.14 netmask 255.255.255.255 0 0
static (inside,DMZ1) WW.0.0 WW.0.0 netmask 255.255.0.0 0 0
conduit permit tcp UU 255.255.255.240 any eq ftp
conduit permit tcp host UU eq ftp any
conduit permit icmp host AA any
conduit permit tcp WW.0.0 255.255.0.0 eq WW.1w host BB.14
conduit permit tcp WW.0.0 255.255.0.0 eq 443 host BB.14
conduit permit tcp host AA eq WW.1w any
conduit permit icmp any any
conduit permit tcp WW.0.0 255.255.0.0 eq 3389 host BB.14
conduit permit tcp host WW.1.11 any
conduit permit tcp host AA eq ftp any
conduit permit tcp host AA eq 443 any
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
no rip DMZ1 passive
no rip DMZ1 default
no rip PER_2 passive
no rip PER_2 default
route outside 0.0.0.0 0.0.0.0 ZZ 1
timeout xlate 3:00:00 conn 1:00:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet WW.1.75 255.255.255.255
telnet WW.1.0 255.255.255.0
telnet WW.0.0 255.255.0.0
telnet timeout 15
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu PER_2 1500
floodguard 1
0
Comment
Question by:abcbev
  • 4
6 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 33620934
What was the error message?
0
 
LVL 5

Accepted Solution

by:
mittermueller earned 500 total points
ID: 33620982
From cisco site:
Q. Is SFTP supported through the PIX?

    A. No. In a typical FTP connection, either the client or the server must tell the other what port to use for data transfer. The PIX is able to inspect this conversation and open that port. However, with SFTP this conversation is encrypted and the PIX is unable to determine what ports to open and the SFTP connection ultimately fails.

    One possible workaround in this situation is to use an SFTP client that supports the use of a "clear data channel." With this option enabled, the PIX should be able to determine what port needs to be opened.
0
 

Author Comment

by:abcbev
ID: 33621052
I just tried in "config t" typing "conduit permit tcp host AA eq 22 any" and it worked (without the quotes).  I'm testing to see if the port is opened up once I can get to an external machine.  Should I need to add anything else so the DMZ server can have incoming and outgoing SFTP traffic (port 22)?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:abcbev
ID: 33621128
My external IP tester says that 22 is filtered, 21 is open.  I must be missing something simple.  Is it maybe related to what mittermueller is saying above?  I see the "conduit permit tcp host (external DMZ address) eq 22 any".  but there aren't any other conduit permit statements with a double digit port, all have four digit ports.
0
 

Author Comment

by:abcbev
ID: 33621332
Mittermueller,  ourselves and the other company are fine with just using the standard port 22.
0
 

Author Closing Comment

by:abcbev
ID: 33756367
solved the problem on my own.  question activity was dead anyways.
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question