https://community.cisco.com/t5/network-security/connect-to-internal-server-via-ssh/m-p/1780617#M533034 <P>I have a vendor trying to connect to one of my servers.&nbsp; To this point, he's been able to connect using a specific port.&nbsp; I created an entry in my access list -&nbsp;&nbsp; access-list inbound permit tcp host xxx.xxx.xxx.xxx host 167.21.xxx.xxx eq 397.&nbsp; He was able to connect for years using this entry.&nbsp; Now, they want to connect via SSH.&nbsp; So, I duplicated the entry and changed it to "eq SSH"&nbsp; The vendor says he can't connect.&nbsp; It just times out.&nbsp; I don't have a packet sniffer to be able to look at the packets coming into the PIX.</P><P></P><P>Is there something else I need to do to allow SSH?&nbsp; I'm a bit confused.&nbsp; Thanks for any help you can provide - <A href="mailto:asiegel@dover.de.us" target="_blank">asiegel@dover.de.us</A> </P> Mon, 11 Mar 2019 21:14:27 GMT asiegel 2019-03-11T21:14:27Z https://community.cisco.com/t5/network-security/connect-to-internal-server-via-ssh/m-p/1780617#M533034 <P>I have a vendor trying to connect to one of my servers.&nbsp; To this point, he's been able to connect using a specific port.&nbsp; I created an entry in my access list -&nbsp;&nbsp; access-list inbound permit tcp host xxx.xxx.xxx.xxx host 167.21.xxx.xxx eq 397.&nbsp; He was able to connect for years using this entry.&nbsp; Now, they want to connect via SSH.&nbsp; So, I duplicated the entry and changed it to "eq SSH"&nbsp; The vendor says he can't connect.&nbsp; It just times out.&nbsp; I don't have a packet sniffer to be able to look at the packets coming into the PIX.</P><P></P><P>Is there something else I need to do to allow SSH?&nbsp; I'm a bit confused.&nbsp; Thanks for any help you can provide - <A href="mailto:asiegel@dover.de.us" target="_blank">asiegel@dover.de.us</A> </P> Mon, 11 Mar 2019 21:14:27 GMT https://community.cisco.com/t5/network-security/connect-to-internal-server-via-ssh/m-p/1780617#M533034 asiegel 2019-03-11T21:14:27Z https://community.cisco.com/t5/network-security/connect-to-internal-server-via-ssh/m-p/1780618#M533035 <HTML><HEAD></HEAD><BODY><P>What is the static nat entry that you have on the ASA for the internal server?? Is it one to one nat or port forwarding?? If it is port forwarding then you might need to add a static nat for it.</P><P></P><P>Moreover, plz check on the server if port 22 is open on the machine, you can open it through the windows firewall.</P><P></P><P>Also if everything seems to be in place, you can take captures and logs from the PIX:</P><P><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-1222">https://supportforums.cisco.com/docs/DOC-1222</A></P><P></P><P>Thanks,</P><P>Varun</P><P></P><P>Please do rate helpful posts.</P></BODY></HTML> Fri, 19 Aug 2011 18:15:49 GMT https://community.cisco.com/t5/network-security/connect-to-internal-server-via-ssh/m-p/1780618#M533035 varrao 2011-08-19T18:15:49Z https://community.cisco.com/t5/network-security/connect-to-internal-server-via-ssh/m-p/1780619#M533038 <HTML><HEAD></HEAD><BODY><P>I'm using an old PIX515e.&nbsp; The server is an AS400 with a one to one static NAT - no port forwarding.&nbsp; The vendor was connected to the server via port 397 and said he didn't see any port 22 traffic getting to the server, so he believes it is being stopped at the firewall.&nbsp; I will look at the link you listed and see if I can capture some information.&nbsp; </P><P></P><P>Otherwise, is there anything else I would need to do other than the access-list entry?&nbsp; I don't see a fixup protocol for SSH like I do for other protocols.&nbsp; </P><P></P><P>fixup protocol dns maximum-length 512</P><P>fixup protocol ftp 21</P><P>fixup protocol h323 h225 1720</P><P>fixup protocol h323 ras 1718-1719</P><P>fixup protocol http 80</P><P>fixup protocol ils 389</P><P>fixup protocol rsh 514</P><P>fixup protocol rtsp 554</P><P>fixup protocol sip 5060</P><P>fixup protocol sip udp 5060</P><P>fixup protocol skinny 2000</P><P>fixup protocol smtp 25</P><P>fixup protocol sqlnet 1521</P><P>fixup protocol tftp 69<SPAN id="mce_marker"> </SPAN>fixup protocol dns maximum-length 512<BR />fixup protocol ftp 21<BR />fixup protocol h323 h225 1720<BR />fixup protocol h323 ras 1718-1719<BR />fixup protocol http 80<BR />fixup protocol ils 389<BR />fixup protocol rsh 514<BR />fixup protocol rtsp 554<BR />fixup protocol sip 5060<BR />fixup protocol sip udp 5060<BR />fixup protocol skinny 2000<BR />fixup protocol smtp 25<BR />fixup protocol sqlnet 1521<BR />fixup protocol tftp 69</P><P></P><P>Could that be an issue?</P><P></P><P>Thanks again.</P><P></P><P>Andy</P></BODY></HTML> Fri, 19 Aug 2011 18:43:26 GMT https://community.cisco.com/t5/network-security/connect-to-internal-server-via-ssh/m-p/1780619#M533038 asiegel 2011-08-19T18:43:26Z https://community.cisco.com/t5/network-security/connect-to-internal-server-via-ssh/m-p/1780620#M533040 <HTML><HEAD></HEAD><BODY><P>Could be an issue, you need to add a fix up for ssh as well. The best troubleshooting would be to take captures, see if the request is being received for port 22 and if the firewall forwards it to the server. Do take logs as well.</P><P></P><P>Do let me know the results.</P><P></P><P>Varun</P></BODY></HTML> Fri, 19 Aug 2011 18:47:39 GMT https://community.cisco.com/t5/network-security/connect-to-internal-server-via-ssh/m-p/1780620#M533040 varrao 2011-08-19T18:47:39Z