03-07-2003 12:17 PM - edited 02-20-2020 10:36 PM
I have a client that has a linksys firewall setup at his workstation (Don't ask why, you don't want to know). He needs to pass SSH traffic to his workstation. I have a acl configured and a static configured for his IP to pass the port 22 traffic to his "external" linksys address. He has the linksys configured to pass port 22 traffic to his internal workstation.
When he is behind the pix with a natted IP this does not work, I just get a connection refused. When i place him outside the firewall with a routable IP everything works fine. Is this a problem with TCP sequencing? Can this be disabled?
Thanks!
03-10-2003 07:26 AM
1. Your client is a donkey, take off your shoe and beat him with it.
2. Given his donkey status, I must question whether he is actually running a ssh daemon. Only a ssh daemon (server) needs to be accessible via tcp 22. If he is runninng a ssh daemon, is he running a unix like os? If so, run ipchains, PF, or IPF on it.
03-10-2003 05:13 PM
Sometimes dual NAT can be an issue as the Pix will randomize TCP sequence numbers for added security for hosts with weak IP stacks. (read Windows).
This can be disabled per static statement with the [norandomseq] keyword at the end.
And don't forget to follow the other poster's reply as he's dead on. For both step 1 and step 2. ;)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide