topic Re: PIX 515E issue in Network Security

PIX 515E issue

vinoth.kumar — Mon, 11 Mar 2019 17:11:52 GMT

Currently in our network we are using PIX 515E in that

we have done all NAT access from outside to inside for all web access for example:

static (inside,outside) tcp 1.1.1.1 23 X.X.X.X 23 -- is this PAT is applied to both inbound and outbound

static (inside,outside) tcp 2.2.2.2 22 Y.Y.Y.Y 22 -- is this PAT is applied to both inbound and outbound

access-list NAT permit ip any host 1.1.1.1 eq 23 - inbound acl to access telnet service to inside host

access-list NAT permit ip any eq 23 host 2.2.2.2 eq 23 - outboung acl to access SSH service to outside public IP

access-group NAT in interface outside

now our issue is we are ablet to access the telnet service from outside world to inside host but we are unable to access the SSH to outside world from the inside host

can anyone help me resolve this , we doubt it may be IOS issue

our current IOS is PIX723.bin and can i know which IOS is best for PIX

thanks

Re: PIX 515E issue

Jerry Ye — Thu, 18 Feb 2010 16:09:32 GMT

Check your ACL

access-list NAT permit ip any eq 23 host 2.2.2.2 eq 23

SSH is port 22, and the source port (client) will not be 22, it is a random high port.

HTH,

jerry

Re: PIX 515E issue

vinoth.kumar — Thu, 18 Feb 2010 16:46:11 GMT

thanks for the reply

sorry its port 22 only i mistakently written

access-list NAT permit ip any eq 22 host 2.2.2.2 eq 22

still its not working

Re: PIX 515E issue

Jerry Ye — Thu, 18 Feb 2010 16:50:20 GMT

I am assuming the SSH server is inside the FW. If that is true, you rule shoud look like

access-list NAT permit tcp any host 2.2.2.2 eq 22

HTH,

jerry

Re: PIX 515E issue

vinoth.kumar — Thu, 18 Feb 2010 17:13:11 GMT

basically we need to put single PAT entry and allow access to both inbound

and outbound direction

can u help me how to achieve this

static (inside,outside) tcp publicip 22 LANIP 22

now we need to access from outside world to LANIP thorugh port 22 and also

we need port 22 should be access to outside word from LANIP server

when we trying from LAN server to outside world we are getting the log like

this which is unsuccesfull:

%PIX-7-609001: Built local-host outside:PUBLICIP

%PIX-6-302013: Built outbound TCP connection 1273 for outside:PUBLICIP/22 (

PUBLICIP/22) to inside:LANIP/55185 (LANIP/55185)

%PIX-6-302014: Teardown TCP connection 1335 for outside:PUBLICIP/22 to

inside:LANIP/55208 duration 0:00:30 bytes 0 SYN Timeout

Re: PIX 515E issue

Jerry Ye — Thu, 18 Feb 2010 17:39:54 GMT

You can't do 2 things with one single statement. What you are looking for is really PBR and NAT.

Where you will NAT your incoming connection to 2.2.2.2 for destination port 22.

PBR is for your out bound connection sourced from 2.2.2.2 to x where its destination port is 22.

Regards,

jerry