Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > inbound ssh thru pix 515 v 6.3 problems

Thread Tools

inbound ssh thru pix 515 v 6.3 problems

Posts: n/a
I'm trying to set up a pix so some of our after-hours folks can ssh
their network from their houses. As you may have guessed, it's not
working. And it's probably easy and obvious, but my brain is mush by
So if some kind soul could help out...

setup is pub internet via dsl (static ip) into a nexlan turbo400 NAT
box (don't ask), then to 'outside' on a PIX 515 running 6.3, 'inside'
on the pix going to an openbsd box running ssh, which will then be
used to proxy to wherever the dear user needs to go...

[pub internet DSL] -> [nexlan turbo 400] -> -> -> [pix outside] ->

[pix inside] -> -> [openbsd]

Clear as mud?

Trouble is, when I ssh into our static ip (x.y.z.a), it waits a bit,
then times out.

The pix log (below) shows the translation being set up, but the
openbsd log (with sshd debugging set on debug3) shows nothing.

I can ssh into the outside nic of the openbsd box if I'm directly
connected to it.

I've also connect the pix 'outside' directly to the dsl, removing the
nexlan 400, changed the appropriate statements on the pix, but still
get same symptoms.

Here's the details. obviously, ip's and other stuff has been altered.
Any ideas?

<at home>: ssh (E-Mail Removed)

Pix log shows:

Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 970 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled

111008: User 'enable_15' executed the 'clear logging' command.
305011: Built static TCP translation from inside: to

302013: Built inbound TCP connection 8 for outside:
( to inside: (

302014: Teardown TCP connection 8 for outside: to
inside: duration 0:02:01 bytes 0 SYN Timeout

305012: Teardown static TCP translation from inside: to
outside: duration 0:02:06

----------end log

The is my dynamically assigned ip at home.

openbsd box shows no entries at all for this time period.

pix config:

relevant static, access-list, access-group ***'ed

: Saved
: Written by enable_15 at 14:13:04.483 UTC Mon Feb 23 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Nxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list ssh-in permit tcp any interface outside ******
no pager
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location inside
pdm logging debugging 512
pdm history enable
arp timeout 14400
static (inside,outside) tcp interface ssh ssh netmask 0 0 ******
access-group ssh-in in interface outside ******
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server enable traps
floodguard enable
telnet timeout 5
console timeout 0
terminal width 80
Reply With Quote
Walter Roberson
Posts: n/a
In article <(E-Mail Removed)> ,
scada <(E-Mail Removed)> wrote:
:I'm trying to set up a pix so some of our after-hours folks can ssh
:their network from their houses.

IX Version 6.3(3)

:static (inside,outside) tcp interface ssh ssh netmask 0 0 ******

You don't have any 'nat'. You might be running into a bug in that
regards. Try configuring

nat (inside) 1 0 0
global (outside) 1 interface

Also, try

clear xlate

before and after you do the above.
Most Windows users will run any old attachment you send them, so if
you want to implicate someone you can just send them a Trojan
-- Adam Langley
Reply With Quote

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Pix 515 and inbound services tartar813 Cisco 5 03-19-2006 09:11 PM
PIX 515 Inbound/Outbound access list confusion Cisco 2 03-08-2006 09:20 AM
PIX 515 to PIX 515 via Internet & IPSec, should I get a VAC? Scott Townsend Cisco 8 02-22-2006 09:59 PM
How to open inbound ESP protocol on a PIX 515 Corbin O'Reilly Cisco 6 04-28-2005 09:01 PM
Should I block inbound port 25 on the PIX 515? Corbin O'Reilly Cisco 14 04-20-2005 09:49 PM