Cisco Pix port 22
I need to open up port 22 on our Cisco Pix firewall. Here is the commands that I have put in but the vendor says he still can't putty into it.
access-list in_outside permit tcp any host 66.xxx.xx.xx eq ssh
static (inside,outside) 66.xxx.xx.xxx 192.168.50.19 netmask 255.255.255.255 0 0
Am I missing anything?
access-list in_outside permit tcp any host 66.xxx.xx.xx eq ssh
static (inside,outside) 66.xxx.xx.xxx 192.168.50.19 netmask 255.255.255.255 0 0
Am I missing anything?
Is the vendor trying to ssh into the pix itself or to a device that is inside the pix?
I am guessing based on the config that it is a device on the inside of the PIX and not the PIX itself. If it is the PIX we have to do different things.
The one thing I would to Ernie's comment is that you should find out the public IP address that this vendor will be coming in from if at all possible and then update your ACL to include that as the source address.
i.e.
access-list in_outside permit tcp host x.x.x.x host y.y.y.y eq 22
or even the network he would be coming from
access-list in_outside permit tcp x.x.x.x 255.255.255.0 host y.y.y.y eq 22
This further locks things down and prevents others from trying a brute force attack on you.
I am guessing based on the config that it is a device on the inside of the PIX and not the PIX itself. If it is the PIX we have to do different things.
The one thing I would to Ernie's comment is that you should find out the public IP address that this vendor will be coming in from if at all possible and then update your ACL to include that as the source address.
i.e.
access-list in_outside permit tcp host x.x.x.x host y.y.y.y eq 22
or even the network he would be coming from
access-list in_outside permit tcp x.x.x.x 255.255.255.0 host y.y.y.y eq 22
This further locks things down and prevents others from trying a brute force attack on you.
ASKER
It is a device within our network. I see what you’re saying with the security part but shouldn’t what I did allow them to get to their server that is inside our network?
It should, if the access-group command is in place as well as I said. Otherwise could you show is a sanitized config?
Things to check:
1) do you have an access list on the inside interface
2) is the ssh server listening on port 22
3) does the ssh server also have a firewall?
4) check to see if the query is reaching the firewall and it allowed
sh log | i IP.OF.SSH.SERVER
And it doesn't matter if you specify "eq ssh" or "eq 22" since that number is standard for ssh.
1) do you have an access list on the inside interface
2) is the ssh server listening on port 22
3) does the ssh server also have a firewall?
4) check to see if the query is reaching the firewall and it allowed
sh log | i IP.OF.SSH.SERVER
And it doesn't matter if you specify "eq ssh" or "eq 22" since that number is standard for ssh.
ASKER
Here is a copy of my config. This external IP address that I am using is new and is not being used for anything else. I have bolded and underlined the two changes that I made today to allow traffice for this new IP address.
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password w75RP0QSey3ak6rf encrypted
passwd w75RP0QSey3ak6rf encrypted
hostname HillsandDalesPIX
domain-name hillsanddales.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip host 192.168.50.15 10.xx.x.x 255.255.255.0
access-list 101 permit ip host 192.168.50.116 host x.x.xx
access-list HMS permit ip host 192.168.50.15 10.x.x.x 255.255.255.0
access-list in_outside permit tcp any host 66.x.x.x eq smtp
access-list in_outside permit tcp any host 66.x.x.x eq https
access-list in_outside permit icmp any any
access-list in_outside permit tcp any host 66.x.x.x eq h323
access-list in_outside permit tcp any host 66.x.x.x eq https
access-list in_outside permit tcp any host 66.x.x.x eq www
access-list in_outside permit tcp any host 66.x.x.x eq 8080
access-list in_outside permit tcp any host 66.x.x.x eq www
access-list in_outside permit tcp any host 66.xx.x.x eq https
access-list in_outside permit tcp any host 66.x.x.x eq www
access-list in_outside permit tcp any host 66.x.x.x eq pop3
access-list in_outside permit tcp any host 66.xxx.xx.xx eq sshpager lines 24
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 66.x.x.xx 255.255.255.248
ip address inside 192.168.50.xx 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 66.xx.xx.xx
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 66.xx.xx.xx pop3 192.168.50.11 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xx.xx.xx smtp 192.168.51.248 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xx.xx https 192.168.50.11 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xx.xx www 192.168.50.11 www netmask 255.255.255.255 0 0
static (inside,outside) 66. xxx.xx.xx 192.168.50.108 netmask 255.255.255.255 0 0
static (inside,outside) 66. xxx.xx.xx 192.168.50.7 netmask 255.255.255.255 0 0
static (inside,outside) 66.xxx.xx.xx 192.168.50.19 netmask 255.255.255.255 0 0
access-group in_outside in interface outside
route outside 0.0.0.0 0.0.0.0 66.188.39.97 1
route inside 192.168.30.0 255.255.255.128 192.168.50.1 1
route inside 192.168.30.128 255.255.255.128 192.168.50.1 1
route inside 192.168.49.0 255.255.255.0 192.168.50.1 1
route inside 192.168.51.0 255.255.255.0 192.168.50.1 1
route inside 192.168.53.0 255.255.255.0 192.168.50.1 1
route inside 192.168.60.0 255.255.255.0 192.168.50.1 1
route inside 192.168.65.0 255.255.255.128 192.168.50.1 1
route inside 192.168.65.128 255.255.255.128 192.168.50.1 1
route inside 192.168.66.0 255.255.255.0 192.168.50.1 1
route inside 192.168.81.0 255.255.255.128 192.168.50.1 1
route inside 192.168.81.128 255.255.255.128 192.168.50.1 1
route inside 192.168.90.0 255.255.255.0 192.168.50.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
snmp-server host inside 192.168.50.21
snmp-server host inside 192.168.50.22
no snmp-server location
no snmp-server contact
snmp-server community WeloveHP!
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set BCBSMVPN esp-3des esp-sha-hmac
crypto ipsec transform-set HMSVPN esp-3des esp-md5-hmac
crypto map BcbsmMap 10 ipsec-isakmp
crypto map BcbsmMap 10 set peer 167.242.50.1
crypto map BcbsmMap 10 set transform-set BCBSMVPN
! Incomplete
crypto map BcbsmMap 20 ipsec-isakmp
crypto map BcbsmMap 20 match address HMS
crypto map BcbsmMap 20 set peer 216.84.135.3
crypto map BcbsmMap 20 set transform-set HMSVPN
crypto map BcbsmMap interface outside
isakmp enable outside
isakmp key ******** address 167. xxx.xx.xx netmask 255.255.255.255
isakmp key ******** address 216. xxx.xx.xx netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.50.253 255.255.255.255 inside
telnet 192.168.50.248 255.255.255.255 inside
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 10
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
terminal width 90
Cryptochecksum:18f3c09a87b
: end
HillsandDalesPIX#
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password w75RP0QSey3ak6rf encrypted
passwd w75RP0QSey3ak6rf encrypted
hostname HillsandDalesPIX
domain-name hillsanddales.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip host 192.168.50.15 10.xx.x.x 255.255.255.0
access-list 101 permit ip host 192.168.50.116 host x.x.xx
access-list HMS permit ip host 192.168.50.15 10.x.x.x 255.255.255.0
access-list in_outside permit tcp any host 66.x.x.x eq smtp
access-list in_outside permit tcp any host 66.x.x.x eq https
access-list in_outside permit icmp any any
access-list in_outside permit tcp any host 66.x.x.x eq h323
access-list in_outside permit tcp any host 66.x.x.x eq https
access-list in_outside permit tcp any host 66.x.x.x eq www
access-list in_outside permit tcp any host 66.x.x.x eq 8080
access-list in_outside permit tcp any host 66.x.x.x eq www
access-list in_outside permit tcp any host 66.xx.x.x eq https
access-list in_outside permit tcp any host 66.x.x.x eq www
access-list in_outside permit tcp any host 66.x.x.x eq pop3
access-list in_outside permit tcp any host 66.xxx.xx.xx eq sshpager lines 24
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 66.x.x.xx 255.255.255.248
ip address inside 192.168.50.xx 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 66.xx.xx.xx
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 66.xx.xx.xx pop3 192.168.50.11 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xx.xx.xx smtp 192.168.51.248 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xx.xx https 192.168.50.11 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xx.xx www 192.168.50.11 www netmask 255.255.255.255 0 0
static (inside,outside) 66. xxx.xx.xx 192.168.50.108 netmask 255.255.255.255 0 0
static (inside,outside) 66. xxx.xx.xx 192.168.50.7 netmask 255.255.255.255 0 0
static (inside,outside) 66.xxx.xx.xx 192.168.50.19 netmask 255.255.255.255 0 0
access-group in_outside in interface outside
route outside 0.0.0.0 0.0.0.0 66.188.39.97 1
route inside 192.168.30.0 255.255.255.128 192.168.50.1 1
route inside 192.168.30.128 255.255.255.128 192.168.50.1 1
route inside 192.168.49.0 255.255.255.0 192.168.50.1 1
route inside 192.168.51.0 255.255.255.0 192.168.50.1 1
route inside 192.168.53.0 255.255.255.0 192.168.50.1 1
route inside 192.168.60.0 255.255.255.0 192.168.50.1 1
route inside 192.168.65.0 255.255.255.128 192.168.50.1 1
route inside 192.168.65.128 255.255.255.128 192.168.50.1 1
route inside 192.168.66.0 255.255.255.0 192.168.50.1 1
route inside 192.168.81.0 255.255.255.128 192.168.50.1 1
route inside 192.168.81.128 255.255.255.128 192.168.50.1 1
route inside 192.168.90.0 255.255.255.0 192.168.50.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
snmp-server host inside 192.168.50.21
snmp-server host inside 192.168.50.22
no snmp-server location
no snmp-server contact
snmp-server community WeloveHP!
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set BCBSMVPN esp-3des esp-sha-hmac
crypto ipsec transform-set HMSVPN esp-3des esp-md5-hmac
crypto map BcbsmMap 10 ipsec-isakmp
crypto map BcbsmMap 10 set peer 167.242.50.1
crypto map BcbsmMap 10 set transform-set BCBSMVPN
! Incomplete
crypto map BcbsmMap 20 ipsec-isakmp
crypto map BcbsmMap 20 match address HMS
crypto map BcbsmMap 20 set peer 216.84.135.3
crypto map BcbsmMap 20 set transform-set HMSVPN
crypto map BcbsmMap interface outside
isakmp enable outside
isakmp key ******** address 167. xxx.xx.xx netmask 255.255.255.255
isakmp key ******** address 216. xxx.xx.xx netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.50.253 255.255.255.255 inside
telnet 192.168.50.248 255.255.255.255 inside
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 10
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
terminal width 90
Cryptochecksum:18f3c09a87b
: end
HillsandDalesPIX#
From the inside, can you ssh to the server in question?
What do the PIX logs say?
What do the PIX logs say?
ASKER
Yes I can
What do the PIX logs say relevant to that access-list entry?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That's not the problem.
What do the PIX logs say after a connection attempt?
What do the PIX logs say after a connection attempt?
Second, did you also apllied: access-group in_outside in interface outside ?