cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1167
Views
0
Helpful
6
Replies
c.hamoeller
Beginner

SSH tunneling through pix

Okay I am starting to go insane!!!

I have setup a red hat box at home with the SSHD started and running. Now I have putty and cygwin on my PC at work, I am trying to setup an SSH tunnel back to my red hat box at home. I want to be able to use local port forwarding out my PC here at work to home through my cisco pix. So I have setup the following on the pix..

Ip address outside interface (dhcp)

Ip address inside 192.168.1.1

Pat

Global (outside) 1 interface (dhcp address is 12.x.x.x)

Nat

Nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Port Redirect

Static (inside, outside) tcp 12.x.x.x ssh 192.168.1.2 ssh netmask 255.255.255.255 0 0

Access-lists

Access-list inbound permit tcp any 192.168.1.2 eq 22

Access-list inbound permit tcp any 192.168.1.2 eq 21

Access-list inbound permit tcp any any eq 80

Access-list inbound permit tcp any any eq 443

Access-list inbound permit tcp any any eq 53

Access-list inbound permit udp any any eq 53

Access-list outbound permit tcp any any eq 80

Access-list outbound permit tcp any any eq 443

Access-list outbond permit tcp any any eq 22

Access-list outbound permit tcp any any eq 21

Access-list outbound permit tcp any any eq 53

Access-list outbound permit udp any any eq 53

Access-group inbound in interface inside

Access-group outbound in interface outside

Now when apply the static port redirect all traffic stops passing in any direction and it locks up. I telnet from home and I see that it is stating that it can’t open portmap for outbound traffic and it is denying inbound traffic. But before I put the static port redirect in the show access-list I see hits on the ACL’s….

Any ideas??

6 REPLIES 6
Patrick Iseli
Rising star

Your setup looks good. Have you done a " clear xlate " after you have changed the NAT and Port Redirection ?

Do you really just want to allow Port 22, 21, 80, 443 and dns from the inside network? Usually without an access-list on the inside interface all traffic from the higher inside interface to the lower outside interface is permitted.

Third thing: Are you sure that on your other site you are allowed to ssh to your home network and that your ISP will not block also port 22. Change your SSH port to a port higher than 1024 example to: 2222 and try again.

sincerely

Patrick

ISP allows SSH on 22 I was configuring it remotely and via ssh.

I put the access-list on for troubleshooting to see when the passing of traffic stops and what exactley happens. Yes you are correct I could just take it off and allow all traffic outbound.

I have not done a clear xlate after I have changed the NAT and Port redirection. This maybe the problem...

I will have to try this now when I get home, and will let you know. thanks for the idea.

okay I have no problem with outbound traffic but the inbound still is failing. I see no hits on the access-list allowing SSH inbound with the port redirect. Any one else have some more ideas??

Might it be that your PIX has also ssh configured ?

Change the SSH port from 22 to another port for example 2222. And change the static to 2222.

example:

no static (inside, outside) tcp 12.x.x.x ssh 192.168.1.2 ssh netmask 255.255.255.255 0 0

Static (inside, outside) tcp 12.x.x.x 2222 192.168.1.2 2222 netmask 255.255.255.255 0 0

no Access-list outbond permit tcp any any eq 22

Access-list outbond permit tcp any any eq 2222

clear xlate

claer arp

wr mem

of course change or add port 2222 on your ssh server.

sincerely

Patrick

scottmac
Advocate

Is it possible or likely that your network at work is filtering the SSH? Our company LAN proxies and filters everything outbound.

If your company is using something like Packeteer, it won't matter what port you send it out on; unless ssh traffic is explicitly permitted, it'll be dropped.

If you find that it is being filtered, do not continue to get traffic out without getting permission. It could cost you your job (depending on the company policy).

You could try sending the ssh out on port 80 (setting your pix for port 80 redirect to your RedHat box ... translate the port 80 to port 22 on the inside).

Good Luck

Scott

jcruz820
Beginner

Anyone know how to stop users from doing ssh tunnels through the ASA?

Content for Community-Ad