inbound ssh thru pix 515 v 6.3 problems

Discussion in 'Cisco' started by scada, Feb 24, 2004.

  1. scada

    scada Guest

    I'm trying to set up a pix so some of our after-hours folks can ssh
    into
    their network from their houses. As you may have guessed, it's not
    working. And it's probably easy and obvious, but my brain is mush by
    now.
    So if some kind soul could help out...

    setup is pub internet via dsl (static ip) into a nexlan turbo400 NAT
    box (don't ask), then to 'outside' on a PIX 515 running 6.3, 'inside'
    on the pix going to an openbsd box running ssh, which will then be
    used to proxy to wherever the dear user needs to go...

    [pub internet DSL] -> [nexlan turbo 400] -> -> -> [pix outside] ->
    x.y.z.a 192.168.0.1 192.168.0.201


    [pix inside] -> -> [openbsd]
    192.168.12.2/29 192.168.12.3/29

    Clear as mud?

    Trouble is, when I ssh into our static ip (x.y.z.a), it waits a bit,
    then times out.

    The pix log (below) shows the translation being set up, but the
    openbsd log (with sshd debugging set on debug3) shows nothing.

    I can ssh into the outside nic of the openbsd box if I'm directly
    connected to it.

    I've also connect the pix 'outside' directly to the dsl, removing the
    nexlan 400, changed the appropriate statements on the pix, but still
    get same symptoms.

    Here's the details. obviously, ip's and other stuff has been altered.
    Any ideas?


    <at home>: ssh

    Pix log shows:

    Syslog logging: enabled
    Facility: 20
    Timestamp logging: enabled
    Standby logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 970 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled

    111008: User 'enable_15' executed the 'clear logging' command.
    305011: Built static TCP translation from inside:192.168.12.3/22 to
    outside:192.168.0.201/22

    302013: Built inbound TCP connection 8 for outside:207.14.41.171/40328
    (207.14.41.171/40328) to inside:192.168.12.3/22 (192.168.0.201/22)

    302014: Teardown TCP connection 8 for outside:207.14.41.171/40328 to
    inside:192.168.12.3/22 duration 0:02:01 bytes 0 SYN Timeout

    305012: Teardown static TCP translation from inside:192.168.12.3/22 to
    outside:192.168.0.201/22 duration 0:02:06


    ----------end log

    The 207.14.41.171 is my dynamically assigned ip at home.

    openbsd box shows no entries at all for this time period.

    pix config:

    relevant static, access-list, access-group ***'ed

    : Saved
    : Written by enable_15 at 14:13:04.483 UTC Mon Feb 23 2004
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password Nxxxxxxxxxxx encrypted
    passwd xxxxxxxxxxxx encrypted
    hostname pixfirewall
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list ssh-in permit tcp any interface outside ******
    no pager
    logging on
    logging buffered debugging
    mtu outside 1500
    mtu inside 1500
    ip address outside 192.168.0.201 255.255.255.0
    ip address inside 192.168.12.2 255.255.255.248
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 10.70.1.176 255.255.255.255 inside
    pdm logging debugging 512
    pdm history enable
    arp timeout 14400
    static (inside,outside) tcp interface ssh 192.168.12.3 ssh netmask
    255.255.255.255 0 0 ******
    access-group ssh-in in interface outside ******
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:zoopewhoo
     
    scada, Feb 24, 2004
    #1
    1. Advertising

  2. In article <>,
    scada <> wrote:
    :I'm trying to set up a pix so some of our after-hours folks can ssh
    :into
    :their network from their houses.

    :pIX Version 6.3(3)

    :static (inside,outside) tcp interface ssh 192.168.12.3 ssh netmask 255.255.255.255 0 0 ******

    You don't have any 'nat'. You might be running into a bug in that
    regards. Try configuring

    nat (inside) 1 192.168.12.0 255.255.255.0 0 0
    global (outside) 1 interface

    Also, try

    clear xlate

    before and after you do the above.
    --
    Most Windows users will run any old attachment you send them, so if
    you want to implicate someone you can just send them a Trojan
    -- Adam Langley
     
    Walter Roberson, Feb 24, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Botero

    SSH thru PIX

    Botero, May 7, 2004, in forum: Cisco
    Replies:
    4
    Views:
    1,678
  2. Corbin O'Reilly
    Replies:
    14
    Views:
    4,444
  3. Corbin O'Reilly
    Replies:
    6
    Views:
    7,143
    Corbin O'Reilly
    Apr 28, 2005
  4. Scott Townsend
    Replies:
    8
    Views:
    744
    Roman Nakhmanson
    Feb 22, 2006
  5. tilopa
    Replies:
    2
    Views:
    2,784
    tilopa
    Sep 22, 2006
Loading...

Share This Page