How to open port 22 in pix 501 1

[kam72]

I would like to access my PC from xyz location. How do i open port 22 to access my pc. I am using pix 501.

Can anyone provide the commands to open the port so that i can access my pc.

Thanks

 

[ChrisAC]

static (inside, outside) <outside_IP> <inside_IP> netmask 255.255.255.255

access-list inbound permit tcp host xyz host <outside_IP> eq 22

access-group inbound in interface outside.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[kam72]

Bit confused in following this can you please clear my doubts:

Outside IP: YOu mean Pix Outside IP or the oustside IP of the PC from where im accessing?

host xyz host : ?

Thanks

 

[ChrisAC]

The outside IP is the IP address from your allocation that you are translating to. ie. this is the global IP address that you would connect to from the internet.

So, if you had your SSH server on 192.168.10.5 and your global IP address that you were NATing to was 1.2.3.4 then you would have;

static (inside,outside) 1.2.3.4 192.168.10.5 netmask 255.255.255.255.

So any inbound connections to 1.2.3.4 that were passed by the access-list would be translated to 192.168.10.5.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[kam72]

static (inside,outside) 203.105.78.xxx 192.168.1.110 22 netmask 255.255.255.255 0 0
access-list inbound permit tcp any any eq 22
access-group inbound in interface outside


Thanks

 

[ChrisAC]

To be more secure ..

access-list inbound permit tcp any host 203.105.78.xxx eq 22

The problem with allowing SSH to "any" is that if you created another static for some other box and SSH was open on that box then SSH would also be open for that box from the internet. It's better to allow a specific service to a specific IP address, ie. the server in question.

To be even MORE secure, tie down access from a specific host or range rather than "any".

Chris.



**********************
Chris A.C, CCNA, CCSA
**********************

 

[kam72]

Thanks Problem Solved