topic Re: SSH tunneling through pix in Network Security

SSH tunneling through pix

c.hamoeller — Fri, 21 Feb 2020 08:05:59 GMT

Okay I am starting to go insane!!!

I have setup a red hat box at home with the SSHD started and running. Now I have putty and cygwin on my PC at work, I am trying to setup an SSH tunnel back to my red hat box at home. I want to be able to use local port forwarding out my PC here at work to home through my cisco pix. So I have setup the following on the pix..

Ip address outside interface (dhcp)

Ip address inside 192.168.1.1

Pat

Global (outside) 1 interface (dhcp address is 12.x.x.x)

Nat

Nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Port Redirect

Static (inside, outside) tcp 12.x.x.x ssh 192.168.1.2 ssh netmask 255.255.255.255 0 0

Access-lists

Access-list inbound permit tcp any 192.168.1.2 eq 22

Access-list inbound permit tcp any 192.168.1.2 eq 21

Access-list inbound permit tcp any any eq 80

Access-list inbound permit tcp any any eq 443

Access-list inbound permit tcp any any eq 53

Access-list inbound permit udp any any eq 53

Access-list outbound permit tcp any any eq 80

Access-list outbound permit tcp any any eq 443

Access-list outbond permit tcp any any eq 22

Access-list outbound permit tcp any any eq 21

Access-list outbound permit tcp any any eq 53

Access-list outbound permit udp any any eq 53

Access-group inbound in interface inside

Access-group outbound in interface outside

Now when apply the static port redirect all traffic stops passing in any direction and it locks up. I telnet from home and I see that it is stating that it can’t open portmap for outbound traffic and it is denying inbound traffic. But before I put the static port redirect in the show access-list I see hits on the ACL’s….

Any ideas??

Re: SSH tunneling through pix

Patrick Iseli — Fri, 22 Apr 2005 16:33:07 GMT

Your setup looks good. Have you done a " clear xlate " after you have changed the NAT and Port Redirection ?

Do you really just want to allow Port 22, 21, 80, 443 and dns from the inside network? Usually without an access-list on the inside interface all traffic from the higher inside interface to the lower outside interface is permitted.

Third thing: Are you sure that on your other site you are allowed to ssh to your home network and that your ISP will not block also port 22. Change your SSH port to a port higher than 1024 example to: 2222 and try again.

sincerely

Patrick

Re: SSH tunneling through pix

c.hamoeller — Fri, 22 Apr 2005 16:40:19 GMT

ISP allows SSH on 22 I was configuring it remotely and via ssh.

I put the access-list on for troubleshooting to see when the passing of traffic stops and what exactley happens. Yes you are correct I could just take it off and allow all traffic outbound.

I have not done a clear xlate after I have changed the NAT and Port redirection. This maybe the problem...

I will have to try this now when I get home, and will let you know. thanks for the idea.

Re: SSH tunneling through pix

c.hamoeller — Fri, 29 Apr 2005 12:17:09 GMT

okay I have no problem with outbound traffic but the inbound still is failing. I see no hits on the access-list allowing SSH inbound with the port redirect. Any one else have some more ideas??

Re: SSH tunneling through pix

Patrick Iseli — Sat, 30 Apr 2005 23:56:26 GMT

Might it be that your PIX has also ssh configured ?

Change the SSH port from 22 to another port for example 2222. And change the static to 2222.

example:

no static (inside, outside) tcp 12.x.x.x ssh 192.168.1.2 ssh netmask 255.255.255.255 0 0

Static (inside, outside) tcp 12.x.x.x 2222 192.168.1.2 2222 netmask 255.255.255.255 0 0

no Access-list outbond permit tcp any any eq 22

Access-list outbond permit tcp any any eq 2222

clear xlate

claer arp

wr mem

of course change or add port 2222 on your ssh server.

sincerely

Patrick

Re: SSH tunneling through pix

scottmac — Sun, 01 May 2005 14:35:55 GMT

Is it possible or likely that your network at work is filtering the SSH? Our company LAN proxies and filters everything outbound.

If your company is using something like Packeteer, it won't matter what port you send it out on; unless ssh traffic is explicitly permitted, it'll be dropped.

If you find that it is being filtered, do not continue to get traffic out without getting permission. It could cost you your job (depending on the company policy).

You could try sending the ssh out on port 80 (setting your pix for port 80 redirect to your RedHat box ... translate the port 80 to port 22 on the inside).

Good Luck

Scott

Re: SSH tunneling through pix

jcruz820 — Wed, 19 Apr 2006 14:14:51 GMT

Anyone know how to stop users from doing ssh tunnels through the ASA?