10-20-2005 10:57 PM
I would like to access my PC from xyz location. How do i open port 22 to access my pc. I am using pix 501.
Can anyone provide the commands to open the port so that i can access my pc.
Thanks
Solved! Go to Solution.
10-22-2005 06:26 PM
totally agree as only 3 commands are required.
access-list inbound permit tcp any
static (inside,outside) tcp interface 22
clear xlate
however, all these commands are missing with the config you posted.
10-21-2005 12:08 AM
hostname pix
domain-name yourcompany.com.au
ca generate rsa key 1024
ca save all
in order to allow/restrict ssh access to the pix:
ssh
10-21-2005 12:11 AM
Is "trusted host ip" is the ip address from where i am accessing or the ip of PC which i am want to access?
Thanks
10-21-2005 12:20 AM
yes. e.g. your home internet public ip.
10-21-2005 12:28 AM
I would like to access this machine address: 192.168.0.110
You you mean this is how it should be?
=======================================================
hostname cisco
domain-name wasay.com
ca generate rsa key 1024
ca save all
ssh 192.168.0.110 255.255.255.0 outside
=====================================================
Do i need to put any IP details of PC in pix from the place were i am accessing the to my home PC?
or
Is just the above commands ok?
Thanks
10-21-2005 04:27 AM
Problem is not yet solved can anyone shows the exact command to open the port 22.
I have tried the above command it didnt worked.
Thanks
10-21-2005 04:49 AM
I think the previous command is to allow PIX management via ssh from Outside/Internet.
The command "ssh
If you need to access your PC which sits on the inside segment, you need to map it to a Public IP and use ACL that open port 22 (ssh) to enable you access it from Outside/Internet. This ACL need to be configured on the outside interface.
example:
1. static map of your internal PC to a Public IP (assign by SP)
static (inside,outside) 199.100.100.10 192.168.0.110 netmask 255.255.255.255
2.Open ACL on the outside interface
access-list 100 permit tcp any host 199.100.100.10 eq 22
3. Bind it to outside interface
access-group 100 in interface outside
*can also specify specific IP/subnet using by replacing 'any' with host ID or subnet ID and netmask, as follow:
- For single host:
access-list 100 permit tcp host 202.100.100.100 host 199.100.100.10 eq 22
- For subnet:
access-list 100 permit tcp 202.100.100.0 255.255.255.0 host 199.100.100.10 eq 22
Make sure our internal PC is allowed to access Outside/Internet as well. If you have any ACL on the inside interface, make sure it allow your internal PC to pass thru.
Cheers!
AK
10-21-2005 04:58 AM
Hi,
If you are looking for ssh to your PC behind PIX from xyz, try this
static (inside,outside) tcp p.p.p.p 22 192.168.0.110 22 netmask 255.255.255.255
access-list outside_in permit tcp host h.h.h.h host p.p.p.p eq 22
Where:
p.p.p.p is you PIX outside interface IP or other public IP routed to your PIX.
outside_in is the access-list applied to your outside interface
h.h.h.h is xyz public IP address
HTH
Regards,
Shijo George.
10-21-2005 05:43 AM
please excuse me as i wasn't thinking. the commands i post are for managing the pix.
as per the last couple posts suggested, those are the commands required. just another comments, do "clear xlate" after applying static statements as it forces the pix to refresh the ip address translation.
10-21-2005 04:16 PM
I have tried the above commands it didnt work. Is anyone who is expert in PIX firewall can solve my issue? Its urgent i want to access my PC.
10-21-2005 08:28 PM
please post the config with public ip masked.
10-21-2005 10:50 PM
Thanks for the reply here is the config:
Result of firewall command: "sh run"
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password i8sWQlcI4sodDEYK encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Melbourne
domain-name lexiainfotech.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service UDPList udp
port-object eq 5060
port-object eq 8000
port-object range 16384 20384
object-group service BroadVoice1 tcp-udp
port-object range 5060 5063
port-object range 10000 20000
port-object range 16384 20384
port-object eq 69
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inbound permit udp any interface outside object-group BroadVoice1
access-list Inbound permit udp any interface outside object-group BroadVoice1
access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 103 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.57 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.2.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) udp interface tftp 192.168.0.57 tftp netmask 255.255.255.255 0 0
access-group inbound in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set SecuritySet esp-des esp-sha-hmac
crypto map rtpmap 1 ipsec-isakmp
crypto map rtpmap 1 match address 102
crypto map rtpmap 1 set peer 61.17.xxx.xxx
crypto map rtpmap 1 set transform-set SecuritySet
crypto map rtpmap 1 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map rtpmap 2 ipsec-isakmp
crypto map rtpmap 2 match address 103
crypto map rtpmap 2 set peer 58.105.xxx.xxx
crypto map rtpmap 2 set transform-set SecuritySet
crypto map rtpmap 2 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map rtpmap interface outside
isakmp enable outside
isakmp key **address 61.17.xxx.xxx netmask 255.255.255.255
isakmp key **address 58.105.xxx.xxx netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group Internet request dialout pppoe
vpdn enable inside
dhcpd address 192.168.0.33-192.168.0.62 inside
dhcpd lease 3600
dhcpd ping_timeout 750
10-21-2005 11:19 PM
do "sh access-list inbound" to verify whether the acl being hit or not.
verify the host 192.168.0.57 has the pix inside interface as the default gateway or not.
also verify the tftp services is running correctly. e.g. try establish tftp from the subnet 192.168.0.0/24.
do "sh xlate | in 192.168.0.57" to verify the ip translation.
lastly, just wondering whether you were testing it from the tftp from outside the pix, such as the internet.
10-22-2005 03:51 PM
Thanks for the reply
I am pretty sure the above instruction is nothing to do to open the port 22.
I came back home and would like to end up this topic thanks to Jakko,and other netpro members for their support.
Hence my problem is not solved and i am 100% sure there is only 3 to 4 commands to open the port 22.
Thanks Have a good weekend
10-22-2005 06:26 PM
totally agree as only 3 commands are required.
access-list inbound permit tcp any
static (inside,outside) tcp interface 22
clear xlate
however, all these commands are missing with the config you posted.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide