Solved

Cisco Pix - adding sftp 22

Posted on 2010-09-07
6
1,199 Views
Last Modified: 2012-05-10
I need to allow incoming and outgoing sftp (port 22) traffic to my Cisco Pix Firewall (Version 4.2(3).  The traffic only needs to go to our DMZ server which the outside address is AA and inside address is BB.

I've tried going into "config t" and typing "conduit permit tcp host AA eq 22 any" but it gave an error message back.  I don't edit firewalls often so I've hit a brick wall so I thought I'd post here to the experts.  Thanks for the advice in advance.

Below is the config with a few AA's, BB's to protect the real IP addresses.  How and what do I need to add to allow sftp to the DMZ incoming and outgoing?

fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
names
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address DMZ1 0.0.0.0
failover ip address PER_2 0.0.0.0
pager lines 24
no logging console
logging monitor warnings
no logging buffered
no logging trap
logging facility 20
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 100basetx
ip address outside VV 255.255.255.240
ip address inside WW.1.9 255.255.0.0
ip address DMZ1 BB.1 255.255.255.0
ip address PER_2 WW.1.27 255.255.255.0
arp timeout 14400
global (outside) 1 UU-UU netmask 255.255.255.240
nat (inside) 10 255.255.0.0 255.255.0.0 0 0
nat (inside) 10 255.255.255.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) XX WW.1.10 netmask 255.255.255.255 0 0
static (inside,DMZ1) WW.1.0 WW.1.0 netmask 255.255.255.0 0 0
static (DMZ1,outside) AA BB.14 netmask 255.255.255.255 0 0
static (inside,DMZ1) WW.0.0 WW.0.0 netmask 255.255.0.0 0 0
conduit permit tcp UU 255.255.255.240 any eq ftp
conduit permit tcp host UU eq ftp any
conduit permit icmp host AA any
conduit permit tcp WW.0.0 255.255.0.0 eq WW.1w host BB.14
conduit permit tcp WW.0.0 255.255.0.0 eq 443 host BB.14
conduit permit tcp host AA eq WW.1w any
conduit permit icmp any any
conduit permit tcp WW.0.0 255.255.0.0 eq 3389 host BB.14
conduit permit tcp host WW.1.11 any
conduit permit tcp host AA eq ftp any
conduit permit tcp host AA eq 443 any
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
no rip DMZ1 passive
no rip DMZ1 default
no rip PER_2 passive
no rip PER_2 default
route outside 0.0.0.0 0.0.0.0 ZZ 1
timeout xlate 3:00:00 conn 1:00:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet WW.1.75 255.255.255.255
telnet WW.1.0 255.255.255.0
telnet WW.0.0 255.255.0.0
telnet timeout 15
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu PER_2 1500
floodguard 1
0
Comment
Question by:abcbev
  • 4
6 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 33620934
What was the error message?
0
 
LVL 5

Accepted Solution

by:
mittermueller earned 500 total points
ID: 33620982
From cisco site:
Q. Is SFTP supported through the PIX?

    A. No. In a typical FTP connection, either the client or the server must tell the other what port to use for data transfer. The PIX is able to inspect this conversation and open that port. However, with SFTP this conversation is encrypted and the PIX is unable to determine what ports to open and the SFTP connection ultimately fails.

    One possible workaround in this situation is to use an SFTP client that supports the use of a "clear data channel." With this option enabled, the PIX should be able to determine what port needs to be opened.
0
 

Author Comment

by:abcbev
ID: 33621052
I just tried in "config t" typing "conduit permit tcp host AA eq 22 any" and it worked (without the quotes).  I'm testing to see if the port is opened up once I can get to an external machine.  Should I need to add anything else so the DMZ server can have incoming and outgoing SFTP traffic (port 22)?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:abcbev
ID: 33621128
My external IP tester says that 22 is filtered, 21 is open.  I must be missing something simple.  Is it maybe related to what mittermueller is saying above?  I see the "conduit permit tcp host (external DMZ address) eq 22 any".  but there aren't any other conduit permit statements with a double digit port, all have four digit ports.
0
 

Author Comment

by:abcbev
ID: 33621332
Mittermueller,  ourselves and the other company are fine with just using the standard port 22.
0
 

Author Closing Comment

by:abcbev
ID: 33756367
solved the problem on my own.  question activity was dead anyways.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now