Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco Pix port 22

Posted on 2011-09-13
11
Medium Priority
?
683 Views
Last Modified: 2012-05-12
I need to open up port 22 on our Cisco Pix firewall.  Here is the commands that I have put in but the vendor says he still can't putty into it.

access-list in_outside permit tcp any host 66.xxx.xx.xx eq ssh
static (inside,outside) 66.xxx.xx.xxx 192.168.50.19 netmask 255.255.255.255 0 0

Am I missing anything?
0
Comment
Question by:HBMI
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36529842
First, it would be wie to do: access-list in_outside permit tcp any host 66.xxx.xx.xx eq 22
Second, did you also apllied: access-group in_outside in interface outside ?
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 36529900
Is the vendor trying to ssh into the pix itself or to a device that is inside the pix?

I am guessing based on the config that it is a device on the inside of the PIX and not the PIX itself.  If it is the PIX we have to do different things.

The one thing I would to Ernie's comment is that you should find out the public IP address that this vendor will be coming in from if at all possible and then update your ACL to include that as the source address.

i.e.

access-list in_outside permit tcp host x.x.x.x host y.y.y.y eq 22

or even the network he would be coming from

access-list in_outside permit tcp x.x.x.x 255.255.255.0 host y.y.y.y eq 22

This further locks things down and prevents others from trying a brute force attack on you.
0
 

Author Comment

by:HBMI
ID: 36529955
It is a device within our network.  I see what you’re saying with the security part but shouldn’t what I did allow them to get to their server that is inside our network?
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36529977
It should, if the access-group command is in place as well as I said. Otherwise could you show is a sanitized config?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 36530112
Things to check:

1) do you have an access list on the inside interface
2) is the ssh server listening on port 22
3) does the ssh server also have a firewall?
4) check to see if the query is reaching the firewall and it allowed
      sh log | i IP.OF.SSH.SERVER

And it doesn't matter if you specify "eq ssh" or "eq 22" since that number is standard for ssh.
0
 

Author Comment

by:HBMI
ID: 36530498
Here is a copy of my config.  This external IP address that I am using is new and is not being used for anything else.  I have bolded and underlined the two changes that I made today to allow traffice for this new IP address.


PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password w75RP0QSey3ak6rf encrypted
passwd w75RP0QSey3ak6rf encrypted
hostname HillsandDalesPIX
domain-name hillsanddales.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip host 192.168.50.15 10.xx.x.x 255.255.255.0
access-list 101 permit ip host 192.168.50.116 host x.x.xx
access-list HMS permit ip host 192.168.50.15 10.x.x.x 255.255.255.0
access-list in_outside permit tcp any host 66.x.x.x eq smtp
access-list in_outside permit tcp any host 66.x.x.x eq https
access-list in_outside permit icmp any any
access-list in_outside permit tcp any host 66.x.x.x eq h323
access-list in_outside permit tcp any host 66.x.x.x eq https
access-list in_outside permit tcp any host 66.x.x.x eq www
access-list in_outside permit tcp any host 66.x.x.x eq 8080
access-list in_outside permit tcp any host 66.x.x.x eq www
access-list in_outside permit tcp any host 66.xx.x.x eq https
access-list in_outside permit tcp any host 66.x.x.x eq www
access-list in_outside permit tcp any host 66.x.x.x eq pop3
access-list in_outside permit tcp any host 66.xxx.xx.xx eq sshpager lines 24
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 66.x.x.xx 255.255.255.248
ip address inside 192.168.50.xx 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 66.xx.xx.xx
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 66.xx.xx.xx pop3 192.168.50.11 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xx.xx.xx smtp 192.168.51.248 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xx.xx https 192.168.50.11 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xx.xx www 192.168.50.11 www netmask 255.255.255.255 0 0
static (inside,outside) 66. xxx.xx.xx 192.168.50.108 netmask 255.255.255.255 0 0
static (inside,outside) 66. xxx.xx.xx 192.168.50.7 netmask 255.255.255.255 0 0
static (inside,outside) 66.xxx.xx.xx 192.168.50.19 netmask 255.255.255.255 0 0
access-group in_outside in interface outside
route outside 0.0.0.0 0.0.0.0 66.188.39.97 1
route inside 192.168.30.0 255.255.255.128 192.168.50.1 1
route inside 192.168.30.128 255.255.255.128 192.168.50.1 1
route inside 192.168.49.0 255.255.255.0 192.168.50.1 1
route inside 192.168.51.0 255.255.255.0 192.168.50.1 1
route inside 192.168.53.0 255.255.255.0 192.168.50.1 1
route inside 192.168.60.0 255.255.255.0 192.168.50.1 1
route inside 192.168.65.0 255.255.255.128 192.168.50.1 1
route inside 192.168.65.128 255.255.255.128 192.168.50.1 1
route inside 192.168.66.0 255.255.255.0 192.168.50.1 1
route inside 192.168.81.0 255.255.255.128 192.168.50.1 1
route inside 192.168.81.128 255.255.255.128 192.168.50.1 1
route inside 192.168.90.0 255.255.255.0 192.168.50.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
snmp-server host inside 192.168.50.21
snmp-server host inside 192.168.50.22
no snmp-server location
no snmp-server contact
snmp-server community WeloveHP!
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set BCBSMVPN esp-3des esp-sha-hmac
crypto ipsec transform-set HMSVPN esp-3des esp-md5-hmac
crypto map BcbsmMap 10 ipsec-isakmp
crypto map BcbsmMap 10 set peer 167.242.50.1
crypto map BcbsmMap 10 set transform-set BCBSMVPN
! Incomplete
crypto map BcbsmMap 20 ipsec-isakmp
crypto map BcbsmMap 20 match address HMS
crypto map BcbsmMap 20 set peer 216.84.135.3
crypto map BcbsmMap 20 set transform-set HMSVPN
crypto map BcbsmMap interface outside
isakmp enable outside
isakmp key ******** address 167. xxx.xx.xx netmask 255.255.255.255
isakmp key ******** address 216. xxx.xx.xx netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.50.253 255.255.255.255 inside
telnet 192.168.50.248 255.255.255.255 inside
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 10
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
terminal width 90
Cryptochecksum:18f3c09a87bb493b9841736ae1f92c80
: end
HillsandDalesPIX#
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 36530593
From the inside, can you ssh to the server in question?

What do the PIX logs say?
0
 

Author Comment

by:HBMI
ID: 36530671
Yes I can
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 36530716
What do the PIX logs say relevant to that access-list entry?
0
 
LVL 8

Accepted Solution

by:
gsmartin earned 2000 total points
ID: 36550857
According to your ACL you are allowing TCP via port 22.  SSH also supports UDP.  Putty supports UDP over SSH tunneling.  I would recommend enabling UDP for SSH (port 22), also.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 36550896
That's not the problem.  

What do the PIX logs say after a connection attempt?
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question