Solved: Re: enabling ssh to certain computer

jamesi123 · ‎07-10-2007

I have few computers behind PIX 501. Few of them has no access to internet (access-list inside line 1 deny ip host 192.168.1.10 etc) and others have full access. Now I want to give some of those denied computers an SSH access to outside. I have tried

access-list inside line 6 permit tcp host 192.168.1.10 eq ssh any eq ssh

, but SSH-client says Connection Refused. Do I need some other access-rules or is the problem somewhere else?

acomiskey · ‎07-10-2007

You need to have the permit line before the deny line.

access-list inside permit tcp host 192.168.1.10 any eq ssh

access-list inside deny ip host 192.168.1.10 any

Please rate helpful posts.

View solution in original post

dominic.caron · ‎07-10-2007

Hi

Source port may not be 22, depends on the client coding. Change your ACL line to:

access-list inside line 6 permit tcp host 192.168.1.10 any eq ssh

jamesi123 · ‎07-10-2007

That change didn't seem to work. It seems that outbound connection works, but inbound doesnt. access-list inside line 1 deny ip host 192.168.1.10 gets hits when i try to SSH out from the computer.

acomiskey · ‎07-10-2007

You need to have the permit line before the deny line.

access-list inside permit tcp host 192.168.1.10 any eq ssh

access-list inside deny ip host 192.168.1.10 any

Please rate helpful posts.