cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2376
Views
11
Helpful
15
Replies

Opening port 22 in PIX 501

lexiainfo
Level 1
Level 1

I would like to access my PC from xyz location. How do i open port 22 to access my pc. I am using pix 501.

Can anyone provide the commands to open the port so that i can access my pc.

Thanks

1 Accepted Solution

Accepted Solutions

totally agree as only 3 commands are required.

access-list inbound permit tcp any eq 22

static (inside,outside) tcp interface 22 22 netmask 255.255.255.255 0 0

clear xlate

however, all these commands are missing with the config you posted.

View solution in original post

15 Replies 15

jackko
Level 7
Level 7

hostname pix

domain-name yourcompany.com.au

ca generate rsa key 1024

ca save all

in order to allow/restrict ssh access to the pix:

ssh outside

Is "trusted host ip" is the ip address from where i am accessing or the ip of PC which i am want to access?

Thanks

yes. e.g. your home internet public ip.

I would like to access this machine address: 192.168.0.110

You you mean this is how it should be?

=======================================================

hostname cisco

domain-name wasay.com

ca generate rsa key 1024

ca save all

ssh 192.168.0.110 255.255.255.0 outside

=====================================================

Do i need to put any IP details of PC in pix from the place were i am accessing the to my home PC?

or

Is just the above commands ok?

Thanks

Problem is not yet solved can anyone shows the exact command to open the port 22.

I have tried the above command it didnt worked.

Thanks

I think the previous command is to allow PIX management via ssh from Outside/Internet.

The command "ssh outside" is to allow that IP to access@manage PIX from Outside.

If you need to access your PC which sits on the inside segment, you need to map it to a Public IP and use ACL that open port 22 (ssh) to enable you access it from Outside/Internet. This ACL need to be configured on the outside interface.

example:

1. static map of your internal PC to a Public IP (assign by SP)

static (inside,outside) 199.100.100.10 192.168.0.110 netmask 255.255.255.255

2.Open ACL on the outside interface

access-list 100 permit tcp any host 199.100.100.10 eq 22

3. Bind it to outside interface

access-group 100 in interface outside

*can also specify specific IP/subnet using by replacing 'any' with host ID or subnet ID and netmask, as follow:

- For single host:

access-list 100 permit tcp host 202.100.100.100 host 199.100.100.10 eq 22

- For subnet:

access-list 100 permit tcp 202.100.100.0 255.255.255.0 host 199.100.100.10 eq 22

Make sure our internal PC is allowed to access Outside/Internet as well. If you have any ACL on the inside interface, make sure it allow your internal PC to pass thru.

Cheers!

AK

Hi,

If you are looking for ssh to your PC behind PIX from xyz, try this

static (inside,outside) tcp p.p.p.p 22 192.168.0.110 22 netmask 255.255.255.255

access-list outside_in permit tcp host h.h.h.h host p.p.p.p eq 22

Where:

p.p.p.p is you PIX outside interface IP or other public IP routed to your PIX.

outside_in is the access-list applied to your outside interface

h.h.h.h is xyz public IP address

HTH

Regards,

Shijo George.

please excuse me as i wasn't thinking. the commands i post are for managing the pix.

as per the last couple posts suggested, those are the commands required. just another comments, do "clear xlate" after applying static statements as it forces the pix to refresh the ip address translation.

I have tried the above commands it didnt work. Is anyone who is expert in PIX firewall can solve my issue? Its urgent i want to access my PC.

please post the config with public ip masked.

Thanks for the reply here is the config:

Result of firewall command: "sh run"

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password i8sWQlcI4sodDEYK encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname Melbourne

domain-name lexiainfotech.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group service UDPList udp

port-object eq 5060

port-object eq 8000

port-object range 16384 20384

object-group service BroadVoice1 tcp-udp

port-object range 5060 5063

port-object range 10000 20000

port-object range 16384 20384

port-object eq 69

access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inbound permit udp any interface outside object-group BroadVoice1

access-list Inbound permit udp any interface outside object-group BroadVoice1

access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 103 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.0.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.57 255.255.255.255 inside

pdm location 192.168.1.0 255.255.255.0 outside

pdm location 192.168.2.0 255.255.255.0 outside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 192.168.0.0 255.255.255.0 0 0

static (inside,outside) udp interface tftp 192.168.0.57 tftp netmask 255.255.255.255 0 0

access-group inbound in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set SecuritySet esp-des esp-sha-hmac

crypto map rtpmap 1 ipsec-isakmp

crypto map rtpmap 1 match address 102

crypto map rtpmap 1 set peer 61.17.xxx.xxx

crypto map rtpmap 1 set transform-set SecuritySet

crypto map rtpmap 1 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map rtpmap 2 ipsec-isakmp

crypto map rtpmap 2 match address 103

crypto map rtpmap 2 set peer 58.105.xxx.xxx

crypto map rtpmap 2 set transform-set SecuritySet

crypto map rtpmap 2 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map rtpmap interface outside

isakmp enable outside

isakmp key **address 61.17.xxx.xxx netmask 255.255.255.255

isakmp key **address 58.105.xxx.xxx netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group Internet request dialout pppoe

vpdn enable inside

dhcpd address 192.168.0.33-192.168.0.62 inside

dhcpd lease 3600

dhcpd ping_timeout 750

do "sh access-list inbound" to verify whether the acl being hit or not.

verify the host 192.168.0.57 has the pix inside interface as the default gateway or not.

also verify the tftp services is running correctly. e.g. try establish tftp from the subnet 192.168.0.0/24.

do "sh xlate | in 192.168.0.57" to verify the ip translation.

lastly, just wondering whether you were testing it from the tftp from outside the pix, such as the internet.

Thanks for the reply

I am pretty sure the above instruction is nothing to do to open the port 22.

I came back home and would like to end up this topic thanks to Jakko,and other netpro members for their support.

Hence my problem is not solved and i am 100% sure there is only 3 to 4 commands to open the port 22.

Thanks Have a good weekend

totally agree as only 3 commands are required.

access-list inbound permit tcp any eq 22

static (inside,outside) tcp interface 22 22 netmask 255.255.255.255 0 0

clear xlate

however, all these commands are missing with the config you posted.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: