Solved

Cisco Pix port 22

Posted on 2011-09-13
11
621 Views
Last Modified: 2012-05-12
I need to open up port 22 on our Cisco Pix firewall.  Here is the commands that I have put in but the vendor says he still can't putty into it.

access-list in_outside permit tcp any host 66.xxx.xx.xx eq ssh
static (inside,outside) 66.xxx.xx.xxx 192.168.50.19 netmask 255.255.255.255 0 0

Am I missing anything?
0
Comment
Question by:HBMI
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36529842
First, it would be wie to do: access-list in_outside permit tcp any host 66.xxx.xx.xx eq 22
Second, did you also apllied: access-group in_outside in interface outside ?
0
 
LVL 24

Expert Comment

by:Ken Boone
ID: 36529900
Is the vendor trying to ssh into the pix itself or to a device that is inside the pix?

I am guessing based on the config that it is a device on the inside of the PIX and not the PIX itself.  If it is the PIX we have to do different things.

The one thing I would to Ernie's comment is that you should find out the public IP address that this vendor will be coming in from if at all possible and then update your ACL to include that as the source address.

i.e.

access-list in_outside permit tcp host x.x.x.x host y.y.y.y eq 22

or even the network he would be coming from

access-list in_outside permit tcp x.x.x.x 255.255.255.0 host y.y.y.y eq 22

This further locks things down and prevents others from trying a brute force attack on you.
0
 

Author Comment

by:HBMI
ID: 36529955
It is a device within our network.  I see what you’re saying with the security part but shouldn’t what I did allow them to get to their server that is inside our network?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36529977
It should, if the access-group command is in place as well as I said. Otherwise could you show is a sanitized config?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 36530112
Things to check:

1) do you have an access list on the inside interface
2) is the ssh server listening on port 22
3) does the ssh server also have a firewall?
4) check to see if the query is reaching the firewall and it allowed
      sh log | i IP.OF.SSH.SERVER

And it doesn't matter if you specify "eq ssh" or "eq 22" since that number is standard for ssh.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:HBMI
ID: 36530498
Here is a copy of my config.  This external IP address that I am using is new and is not being used for anything else.  I have bolded and underlined the two changes that I made today to allow traffice for this new IP address.


PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password w75RP0QSey3ak6rf encrypted
passwd w75RP0QSey3ak6rf encrypted
hostname HillsandDalesPIX
domain-name hillsanddales.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip host 192.168.50.15 10.xx.x.x 255.255.255.0
access-list 101 permit ip host 192.168.50.116 host x.x.xx
access-list HMS permit ip host 192.168.50.15 10.x.x.x 255.255.255.0
access-list in_outside permit tcp any host 66.x.x.x eq smtp
access-list in_outside permit tcp any host 66.x.x.x eq https
access-list in_outside permit icmp any any
access-list in_outside permit tcp any host 66.x.x.x eq h323
access-list in_outside permit tcp any host 66.x.x.x eq https
access-list in_outside permit tcp any host 66.x.x.x eq www
access-list in_outside permit tcp any host 66.x.x.x eq 8080
access-list in_outside permit tcp any host 66.x.x.x eq www
access-list in_outside permit tcp any host 66.xx.x.x eq https
access-list in_outside permit tcp any host 66.x.x.x eq www
access-list in_outside permit tcp any host 66.x.x.x eq pop3
access-list in_outside permit tcp any host 66.xxx.xx.xx eq sshpager lines 24
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 66.x.x.xx 255.255.255.248
ip address inside 192.168.50.xx 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 66.xx.xx.xx
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 66.xx.xx.xx pop3 192.168.50.11 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xx.xx.xx smtp 192.168.51.248 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xx.xx https 192.168.50.11 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xx.xx www 192.168.50.11 www netmask 255.255.255.255 0 0
static (inside,outside) 66. xxx.xx.xx 192.168.50.108 netmask 255.255.255.255 0 0
static (inside,outside) 66. xxx.xx.xx 192.168.50.7 netmask 255.255.255.255 0 0
static (inside,outside) 66.xxx.xx.xx 192.168.50.19 netmask 255.255.255.255 0 0
access-group in_outside in interface outside
route outside 0.0.0.0 0.0.0.0 66.188.39.97 1
route inside 192.168.30.0 255.255.255.128 192.168.50.1 1
route inside 192.168.30.128 255.255.255.128 192.168.50.1 1
route inside 192.168.49.0 255.255.255.0 192.168.50.1 1
route inside 192.168.51.0 255.255.255.0 192.168.50.1 1
route inside 192.168.53.0 255.255.255.0 192.168.50.1 1
route inside 192.168.60.0 255.255.255.0 192.168.50.1 1
route inside 192.168.65.0 255.255.255.128 192.168.50.1 1
route inside 192.168.65.128 255.255.255.128 192.168.50.1 1
route inside 192.168.66.0 255.255.255.0 192.168.50.1 1
route inside 192.168.81.0 255.255.255.128 192.168.50.1 1
route inside 192.168.81.128 255.255.255.128 192.168.50.1 1
route inside 192.168.90.0 255.255.255.0 192.168.50.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
snmp-server host inside 192.168.50.21
snmp-server host inside 192.168.50.22
no snmp-server location
no snmp-server contact
snmp-server community WeloveHP!
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set BCBSMVPN esp-3des esp-sha-hmac
crypto ipsec transform-set HMSVPN esp-3des esp-md5-hmac
crypto map BcbsmMap 10 ipsec-isakmp
crypto map BcbsmMap 10 set peer 167.242.50.1
crypto map BcbsmMap 10 set transform-set BCBSMVPN
! Incomplete
crypto map BcbsmMap 20 ipsec-isakmp
crypto map BcbsmMap 20 match address HMS
crypto map BcbsmMap 20 set peer 216.84.135.3
crypto map BcbsmMap 20 set transform-set HMSVPN
crypto map BcbsmMap interface outside
isakmp enable outside
isakmp key ******** address 167. xxx.xx.xx netmask 255.255.255.255
isakmp key ******** address 216. xxx.xx.xx netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.50.253 255.255.255.255 inside
telnet 192.168.50.248 255.255.255.255 inside
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 10
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
terminal width 90
Cryptochecksum:18f3c09a87bb493b9841736ae1f92c80
: end
HillsandDalesPIX#
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 36530593
From the inside, can you ssh to the server in question?

What do the PIX logs say?
0
 

Author Comment

by:HBMI
ID: 36530671
Yes I can
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 36530716
What do the PIX logs say relevant to that access-list entry?
0
 
LVL 8

Accepted Solution

by:
gsmartin earned 500 total points
ID: 36550857
According to your ACL you are allowing TCP via port 22.  SSH also supports UDP.  Putty supports UDP over SSH tunneling.  I would recommend enabling UDP for SSH (port 22), also.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 36550896
That's not the problem.  

What do the PIX logs say after a connection attempt?
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco 2960 PACL 9 37
Use Cisco IP phone with Avaya IP office 3 28
CCNA Data center exam questions 8 26
EIGRP Configuration 2 16
Secure Shell (SSH) is a network protocol for secure data communication, mainly used to administer remote Unix / Linux servers via command line. But it also allows the user to open a secure tunnel between a client and a server where he can send any k…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now