Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1042
Views
4
Helpful
3
Replies

Connect to internal server via SSH

asiegel
Level 1
Level 1

‎08-19-2011 11:11 AM - edited ‎03-11-2019 02:14 PM

I have a vendor trying to connect to one of my servers.  To this point, he's been able to connect using a specific port.  I created an entry in my access list -   access-list inbound permit tcp host xxx.xxx.xxx.xxx host 167.21.xxx.xxx eq 397.  He was able to connect for years using this entry.  Now, they want to connect via SSH.  So, I duplicated the entry and changed it to "eq SSH"  The vendor says he can't connect.  It just times out.  I don't have a packet sniffer to be able to look at the packets coming into the PIX.

Is there something else I need to do to allow SSH?  I'm a bit confused.  Thanks for any help you can provide - asiegel@dover.de.us

Labels:
0 Helpful
3 Replies 3

varrao
Level 10
Level 10

‎08-19-2011 11:15 AM

What is the static nat entry that you have on the ASA for the internal server?? Is it one to one nat or port forwarding?? If it is port forwarding then you might need to add a static nat for it.

Moreover, plz check on the server if port 22 is open on the machine, you can open it through the windows firewall.

Also if everything seems to be in place, you can take captures and logs from the PIX:

https://supportforums.cisco.com/docs/DOC-1222

Thanks,

Varun

Please do rate helpful posts.

Thanks,
Varun Rao

asiegel
Level 1
Level 1
In response to varrao

‎08-19-2011 11:43 AM

I'm using an old PIX515e.  The server is an AS400 with a one to one static NAT - no port forwarding.  The vendor was connected to the server via port 397 and said he didn't see any port 22 traffic getting to the server, so he believes it is being stopped at the firewall.  I will look at the link you listed and see if I can capture some information. 

Otherwise, is there anything else I would need to do other than the access-list entry?  I don't see a fixup protocol for SSH like I do for other protocols. 

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69 fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

Could that be an issue?

Thanks again.

Andy

0 Helpful

varrao
Level 10
Level 10
In response to asiegel

‎08-19-2011 11:47 AM

Could be an issue, you need to add a fix up for ssh as well. The best troubleshooting would be to take captures, see if the request is being received for port 22 and if the firewall forwards it to the server. Do take logs as well.

Do let me know the results.

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card