Ssh problem on a pix 501

Discussion in 'Cisco' started by Mr Ping, Dec 18, 2004.

  1. Mr Ping

    Mr Ping Guest

    Hi!

    I have a static (inside,outside) tcp interface ssh on a pix 501.
    Cisco PIX Firewall Version 6.3(4)
    Now i want to have ssh xxx.xxx.xxx.xxx 255.255.255.0 outside

    Is this posible to have a static and ssh open?
    If not any sugestion to get i work?


    //Jan
     
    Mr Ping, Dec 18, 2004
    #1
    1. Advertisements

  2. Mr Ping

    PES Guest

    I don't think you will be able to accomplish this directly. You could
    however, create an IPSec tunnel and uset the management interface option
    to allow you to connect via ssh through the tunnel to the inside interface.
     
    PES, Dec 18, 2004
    #2
    1. Advertisements

  3. Mr Ping

    Mr Ping Guest

    Thanks again PES.

    Ok.
    But it is posible to ssh the pix from the outside, without a IPSec tunnel?

    //Jan
     
    Mr Ping, Dec 18, 2004
    #3
  4. :I have a static (inside,outside) tcp interface ssh on a pix 501.
    :Cisco PIX Firewall Version 6.3(4)
    :Now i want to have ssh xxx.xxx.xxx.xxx 255.255.255.0 outside

    :Is this posible to have a static and ssh open?

    Not while using the default ssh port (tcp 22) and
    using a single IP address.

    There are two ports that you cannot use static port
    forwarding for using 'interface': ssh and 1467 (I think it is).
    The PIX *always* considers those two ports to be traffic
    destined to the PIX rather than traffic -through- the PIX.

    You can, though, use

    static (inside, outside) tcp interface 2222 xxx.xxx.xxx.xxx 22 netmask 255.255.255.255

    Then to reach your inside system, tell your ssh client to connect
    to port 2222 rather than the default 22.
     
    Walter Roberson, Dec 18, 2004
    #4
  5. Mr Ping

    Mr Ping Guest

    There are two ports that you cannot use static port
    Thanks Walter !!!!

    It work !!! :)

    //Jane
     
    Mr Ping, Dec 18, 2004
    #5
  6. Mr Ping

    PES Guest

    Others have said yes, but I have never successfully gotten it to work.
    I've always used IPSec.
     
    PES, Dec 18, 2004
    #6
  7. Mr Ping

    Erik Freitag Guest

    I don't have a PIX immediately available to try this on, so perhaps you
    can tell us - would you be able to "trick the PIX" into allowing port 22
    access by using the same port inside and out?

    static (inside, outside) tcp interface 22 xxx.xxx.xxx.xxx 22 netmask 255.255.255.255
     
    Erik Freitag, Dec 18, 2004
    #7
  8. :I don't have a PIX immediately available to try this on, so perhaps you
    :can tell us - would you be able to "trick the PIX" into allowing port 22
    :access by using the same port inside and out?

    :static (inside, outside) tcp interface 22 xxx.xxx.xxx.xxx 22 netmask 255.255.255.255

    No, it's special-cased.
     
    Walter Roberson, Dec 19, 2004
    #8
  9. Mr Ping

    John Smith Guest

    you can ssh to the outside interface w/o ipsec. you only need ipsec to
    telnet to the outside interface.
     
    John Smith, Dec 19, 2004
    #9
  10. Mr Ping

    Mr Ping Guest

    Yes ssh work now without ipsec.
    ssh xxx.xxx.xxx.xxx 255.255.255.255 outside

    My other ssh is using port 2222
    static (inside, outside) tcp interface 2222 xxx.xxx.xxx.xxx 22 netmask
    255.255.255.255

    Merry Christmas to u all
    //Jan
     
    Mr Ping, Dec 19, 2004
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.