Help with PIX 6.2 interface access & appropriate ACLs for SSH

Jonathan Wiggins — Tue, 12 Mar 2019 02:22:11 GMT

I'm not very proficient with older PIX 6.2(1) code and I have the following scenario for a customer and was wondering if anyone could please help me. Have interface to access PIX device on 10.1.1.242, which is reachable currently from the 10.1.1.x network, but need to get this configured for the 10.1.2.x network. Also trying to get SSH working correctly

current interface/nameif config:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ_2_XYZ security50

current interface/IP config:

ip address outside 10.1.5.254 255.0.0.0

ip address inside 10.1.1.242 255.255.255.0

ip address DMZ_2_XYZ 10.1.11.2 255.255.255.248

current ACL config:

access-list DMZ_2_XYZ_access_IN permit ip any any

access-list DMZ_2_XYZ_access_IN permit icmp any any

access-group DMZ_2_XYZ_access_IN in interface DMZ_2_XYZ

Static config:

static (inside,DMZ_2_XYZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0

Current SSH config:

ssh 10.1.1.0 255.255.255.0 inside

ssh 10.1.2.0 255.255.255.0 inside

ssh 10.3.0.0 255.255.0.0 DMZ_2_XYZ

Current route statements:

route inside 10.1.4.0 255.255.255.0 10.1.1.254 1

route DMZ_2_XYZ 10.3.0.0 255.255.0.0 10.1.11.1 1

Now, from what I know, first of all this needs a static mapping:

static (inside,???) tcp interface 22 10.1.1.242 22 netmask 255.255.255.255

then this needs an ACL:

access-list CORP_SSH_ACCESS_IN permit tcp 10.1.2.0 netmask 255.255.255.0 host 10.1.1.242 eq 22

This is where I'm getting hung up

a) the PIX doesnt know about the 10.1.2.x network

i. and does it need a route statement to get back to the 10.1.2.x -- my thoughts are yes, b/c it wont know how to return traffic

b) not sure which order to place the interfaces in the "static (X,Y)" area since no interface is bound or connected to 10.1.2.x

c) I'm used to running packet-tracer command on ASA's, so I'm trying to get a quick primer on the "capture" utility on PIX 6.2

Any help is much appreciated!!!

Help with PIX 6.2 interface access & appropriate ACLs for SSH

Marvin Rhoads — Tue, 06 Aug 2013 18:08:20 GMT

A lot depends on where the 10.1.2.0/24 network is in relation to the Pix. If it is downstream from the inside interface (i.e. beyond the 10.1.1.254 gateway) then a simple:

route inside 10.1.2.0 255.255.255.0 10.1.1.254

will do the trick given that you already have the necessary ssh statement in place. If the 10.1.2.0/24 network is somewhere else, then you may need to adjust access-list and nat statements.

Help with PIX 6.2 interface access & appropriate ACLs for SSH

Jonathan Wiggins — Tue, 06 Aug 2013 18:37:51 GMT

will give that a shot. I'm just not used to the static mapping portion on 6.2 code, and was trying to tap into some hive-knowledge here... off to RTFM

topic Help with PIX 6.2 interface access & appropriate ACLs for SSH in Network Security

Help with PIX 6.2 interface access & appropriate ACLs for SSH

Help with PIX 6.2 interface access & appropriate ACLs for SSH

Help with PIX 6.2 interface access & appropriate ACLs for SSH