Ssh problem on a pix 501

Hi!

I have a static (inside,outside) tcp interface ssh on a pix 501.
Cisco PIX Firewall Version 6.3(4)
Now i want to have ssh xxx.xxx.xxx.xxx 255.255.255.0 outside

Is this posible to have a static and ssh open?
If not any sugestion to get i work?


//Jan

 

I don't think you will be able to accomplish this directly. You could
however, create an IPSec tunnel and uset the management interface option
to allow you to connect via ssh through the tunnel to the inside interface.

 

Thanks again PES.

Ok.
But it is posible to ssh the pix from the outside, without a IPSec tunnel?

//Jan

 

:I have a static (inside,outside) tcp interface ssh on a pix 501.
:Cisco PIX Firewall Version 6.3(4)
:Now i want to have ssh xxx.xxx.xxx.xxx 255.255.255.0 outside

:Is this posible to have a static and ssh open?

Not while using the default ssh port (tcp 22) and
using a single IP address.

There are two ports that you cannot use static port
forwarding for using 'interface': ssh and 1467 (I think it is).
The PIX *always* considers those two ports to be traffic
destined to the PIX rather than traffic -through- the PIX.

You can, though, use

static (inside, outside) tcp interface 2222 xxx.xxx.xxx.xxx 22 netmask 255.255.255.255

Then to reach your inside system, tell your ssh client to connect
to port 2222 rather than the default 22.

 

There are two ports that you cannot use static port

Thanks Walter !!!!

It work !!!

//Jane

 

Others have said yes, but I have never successfully gotten it to work.
I've always used IPSec.

 

I don't have a PIX immediately available to try this on, so perhaps you
can tell us - would you be able to "trick the PIX" into allowing port 22
access by using the same port inside and out?

static (inside, outside) tcp interface 22 xxx.xxx.xxx.xxx 22 netmask 255.255.255.255

 

:I don't have a PIX immediately available to try this on, so perhaps you
:can tell us - would you be able to "trick the PIX" into allowing port 22
:access by using the same port inside and out?

:static (inside, outside) tcp interface 22 xxx.xxx.xxx.xxx 22 netmask 255.255.255.255

No, it's special-cased.

 

you can ssh to the outside interface w/o ipsec. you only need ipsec to
telnet to the outside interface.

 

Yes ssh work now without ipsec.
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside

My other ssh is using port 2222
static (inside, outside) tcp interface 2222 xxx.xxx.xxx.xxx 22 netmask
255.255.255.255

Merry Christmas to u all
//Jan