SSH / PDM on the Outside Interface

[enacht]

Dear Experts,

after studying sever news groups and searching the forum here, i still haven't found an answer to what i'm looking for.

Having made bad experience with other firewalls in the past, we switched to a PIX 515E. Due to the bad experience, it happened sometimes that the non-pix firewalls became unresponsive on the LAN (Inside) port and had to be rebooted from remote, since access to the colocation facility isn't possible 24/7 (or only at a very high cost).

I've been trying to find a way to be able to SSH to the PIX from remote, or access PDM from remote.

I've created the rules and everything I think, but i still don't get an SSH or PDM connection to the pix. Thus i'm wondering if it's possible at all to connect via SSH to the outside port of the PIX at all (PDM is not really necessary).

I can't paste the rules at the moment, since i'm at home and can't access the PIX currently (due to lacking SSH acess ).

Any ideas on this would be greatly appreciated

Emanuel


--
the router thought it was a printer

 

[bwilliam13]

Post your config. This is pointless until we can see what exactly you're doing.

 

[enacht]

here the config:

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10
enable password <protected>
passwd <protected> encrypted
hostname pix
domain-name us.ch
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name xxx.xxx.222.229 jabber.us
name xxx.xxx.222.228 rodan.us
name xxx.xxx.222.227 ftp.us
name xxx.xxx.222.239 musik.cust
name xxx.xxx.222.238 teleboy.us
name xxx.xxx.222.237 tv.us
name xxx.xxx.222.236 media.us
name xxx.xxx.222.235 gateway.us
name xxx.xxx.222.234 backoffice
name xxx.xxx.222.233 us.ch
name xxx.xxx.222.232 jabber.dnc
name xxx.xxx.222.231 platon.clubgirl
name xxx.xxx.222.230 grendel.us
name xxx.xxx.222.246 wap1.cineservice
name xxx.xxx.222.245 platon2.us
name xxx.xxx.222.244 platon.us
name xxx.xxx.222.243 cine.cust
name xxx.xxx.222.242 tv.cust
name xxx.xxx.222.241 kino.cust
name xxx.xxx.222.240 games.cust
name xxx.xxx.222.252 floating
name xxx.xxx.222.251 grendel2.us
name xxx.xxx.222.250 src.kino
name xxx.xxx.222.249 src.cineman
name xxx.xxx.222.248 mate.us.ch
name xxx.xxx.222.247 wap.cinemachine
name xxx.xxx.222.253 floating2
name xxx.xxx.xxx.131 office2
name xxx.xxx.xxx.132 office3
name xxx.xxx.xxx.130 office
name xxx.xxx.xxx.134 office5
name xxx.xxx.xxx.133 office4
name xxx.xxx.141.254 customer_6
name xxx.xxx.55.199 customer_1
name xxx.xxx.151.1 customer_4
name xxx.xxx.201.37 customer_2
name xxx.xxx.71.0 customer_8
name xxx.xxx.6.45 customer_3
name xxx.xxx.150.1 customer_5
name xxx.xxx.9.17 customer_7
name xxx.xxx.102.185 sbb.db
name xxx.xxx.102.186 sbb.web
name xxx.xxx.17.222 sbb.devel
name xxx.xxx.238.12 customer_9
access-list outside_access_in permit tcp any any eq www 
access-list outside_access_in permit tcp any any eq 22 
access-list outside_access_in permit tcp host customer_1 host ftp.us eq ftp 
access-list outside_access_in permit tcp host customer_2 host ftp.us eq ftp 
access-list outside_access_in permit tcp host customer_3 host ftp.us eq ftp 
access-list outside_access_in permit tcp host customer_4 host ftp.us eq ftp 
access-list outside_access_in permit tcp host customer_5 host ftp.us eq ftp 
access-list outside_access_in permit tcp host customer_6 host ftp.us eq ftp 
access-list outside_access_in permit tcp host customer_7 host ftp.us eq ftp 
access-list outside_access_in permit tcp host customer_8 host ftp.us eq ftp 
access-list outside_access_in permit tcp host office host ftp.us eq ftp 
access-list outside_access_in permit tcp host office2 host ftp.us eq ftp 
access-list outside_access_in permit tcp host office3 host ftp.us eq ftp 
access-list outside_access_in permit tcp host office4 host ftp.us eq ftp 
access-list outside_access_in permit tcp host office5 host ftp.us eq ftp 
access-list outside_access_in permit tcp any host jabber.us eq smtp 
access-list outside_access_in permit tcp any host jabber.us eq pop3 
access-list outside_access_in permit tcp host office host rodan.us eq 3306 
access-list outside_access_in permit tcp host office2 host rodan.us eq 3306 
access-list outside_access_in permit tcp host office3 host rodan.us eq 3306 
access-list outside_access_in permit tcp host office4 host rodan.us eq 3306 
access-list outside_access_in permit tcp host office5 host rodan.us eq 3306 
access-list outside_access_in permit tcp host office host platon.clubgirl eq ftp 
access-list outside_access_in permit tcp host office2 host platon.clubgirl eq ftp 
access-list outside_access_in permit tcp host office3 host platon.clubgirl eq ftp 
access-list outside_access_in permit tcp host office4 host platon.clubgirl eq ftp 
access-list outside_access_in permit tcp host office5 host platon.clubgirl eq ftp 
access-list outside_access_in permit tcp host sbb.db host ftp.us eq ftp 
access-list outside_access_in permit tcp host sbb.web host ftp.us eq ftp 
access-list outside_access_in permit tcp host sbb.devel host ftp.us eq ftp 
access-list DMZ_access_in permit tcp any any 
access-list DMZ_access_in permit udp any any 
access-list DMZ_access_in permit icmp any any 
access-list outside_acces_in permit udp any host jabber.us eq domain 
access-list outside_acces_in permit udp any host jabber.us eq dnsix 
access-list outside_acces_in permit udp any host jabber.dnc eq domain 
pager lines 24
logging on
logging trap errors
logging host DMZ jabber.us
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside xxx.xxx.222.186 255.255.255.252
ip address inside 192.168.0.1 255.255.255.0
ip address DMZ xxx.xxx.222.226 255.255.255.224
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.2 255.255.255.255 inside
pdm location 192.168.0.3 255.255.255.255 inside
pdm location ftp.us 255.255.255.255 DMZ
pdm location rodan.us 255.255.255.255 DMZ
pdm location jabber.us 255.255.255.255 DMZ
pdm location grendel.us 255.255.255.255 DMZ
pdm location platon.clubgirl 255.255.255.255 DMZ
pdm location jabber.dnc 255.255.255.255 DMZ
pdm location us.ch 255.255.255.255 DMZ
pdm location backoffice 255.255.255.255 DMZ
pdm location gateway.us 255.255.255.255 DMZ
pdm location media.us 255.255.255.255 DMZ
pdm location tv.us 255.255.255.255 DMZ
pdm location teleboy.us 255.255.255.255 DMZ
pdm location musik.cust 255.255.255.255 DMZ
pdm location games.cust 255.255.255.255 DMZ
pdm location kino.cust 255.255.255.255 DMZ
pdm location tv.cust 255.255.255.255 DMZ
pdm location cine.cust 255.255.255.255 DMZ
pdm location platon.us 255.255.255.255 DMZ
pdm location platon2.us 255.255.255.255 DMZ
pdm location wap1.cineservice 255.255.255.255 DMZ
pdm location wap.cinemachine 255.255.255.255 DMZ
pdm location mate.us.ch 255.255.255.255 DMZ
pdm location src.cineman 255.255.255.255 DMZ
pdm location src.kino 255.255.255.255 DMZ
pdm location grendel2.us 255.255.255.255 DMZ
pdm location floating 255.255.255.255 DMZ
pdm location floating2 255.255.255.255 DMZ
pdm location office2 255.255.255.255 outside
pdm location office 255.255.255.255 outside
pdm location office3 255.255.255.255 outside
pdm location office4 255.255.255.255 outside
pdm location office5 255.255.255.255 outside
pdm location customer_7 255.255.255.255 outside
pdm location customer_8 255.255.255.0 outside
pdm location customer_1 255.255.255.255 outside
pdm location customer_3 255.255.255.255 outside
pdm location customer_5 255.255.255.255 outside
pdm location customer_4 255.255.255.255 outside
pdm location customer_2 255.255.255.255 outside
pdm location customer_6 255.255.255.255 outside
pdm location customer_8 255.255.255.255 outside
pdm location xxx.xxx.222.0 255.255.255.0 DMZ
pdm location sbb.db 255.255.255.255 outside
pdm location sbb.web 255.255.255.255 outside
pdm location sbb.devel 255.255.255.255 outside
pdm location customer_9 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (DMZ,outside) jabber.us jabber.us netmask 255.255.255.255 0 0
static (DMZ,outside) rodan.us rodan.us netmask 255.255.255.255 0 0
static (DMZ,outside) ftp.us ftp.us netmask 255.255.255.255 0 0
static (DMZ,outside) musik.cust musik.cust netmask 255.255.255.255 0 0
static (DMZ,outside) teleboy.us teleboy.us netmask 255.255.255.255 0 0
static (DMZ,outside) tv.us tv.us netmask 255.255.255.255 0 0
static (DMZ,outside) media.us media.us netmask 255.255.255.255 0 0
static (DMZ,outside) gateway.us gateway.us netmask 255.255.255.255 0 0
static (DMZ,outside) backoffice backoffice netmask 255.255.255.255 0 0
static (DMZ,outside) us.ch us.ch netmask 255.255.255.255 0 0
static (DMZ,outside) jabber.dnc jabber.dnc netmask 255.255.255.255 0 0
static (DMZ,outside) platon.clubgirl platon.clubgirl netmask 255.255.255.255 0 0
static (DMZ,outside) grendel.us grendel.us netmask 255.255.255.255 0 0
static (DMZ,outside) wap1.cineservice wap1.cineservice netmask 255.255.255.255 0 0
static (DMZ,outside) platon2.us platon2.us netmask 255.255.255.255 0 0
static (DMZ,outside) platon.us platon.us netmask 255.255.255.255 0 0
static (DMZ,outside) cine.cust cine.cust netmask 255.255.255.255 0 0
static (DMZ,outside) tv.cust tv.cust netmask 255.255.255.255 0 0
static (DMZ,outside) kino.cust kino.cust netmask 255.255.255.255 0 0
static (DMZ,outside) games.cust games.cust netmask 255.255.255.255 0 0
static (DMZ,outside) floating floating netmask 255.255.255.255 0 0
static (DMZ,outside) grendel2.us grendel2.us netmask 255.255.255.255 0 0
static (DMZ,outside) src.kino src.kino netmask 255.255.255.255 0 0
static (DMZ,outside) src.cineman src.cineman netmask 255.255.255.255 0 0
static (DMZ,outside) mate.us.ch mate.us.ch netmask 255.255.255.255 0 0
static (DMZ,outside) wap.cinemachine wap.cinemachine netmask 255.255.255.255 0 0
static (DMZ,outside) floating2 floating2 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 xxx.xxx.222.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
http server enable
http office 255.255.255.255 outside
http office2 255.255.255.255 outside
http office3 255.255.255.255 outside
http office4 255.255.255.255 outside
http office5 255.255.255.255 outside
http 192.168.0.2 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
http xxx.xxx.222.0 255.255.255.0 DMZ
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh office 255.255.255.255 outside
ssh office2 255.255.255.255 outside
ssh office3 255.255.255.255 outside
ssh office4 255.255.255.255 outside
ssh office5 255.255.255.255 outside
ssh xxx.xxx.90.29 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh xxx.xxx.222.0 255.255.255.0 DMZ
ssh timeout 60
terminal width 80

hope we'll be able to get things solved now

thanks alot everyone for their patience with me!

Emanuel

 

[bwilliam13]

Very simply...two lines:

access-list outside_access_in permit tcp any host xxx.xxx.222.186 eq 22
ssh 0.0.0.0 0.0.0.0 outside

 

[enacht]

just did that, when i do a show access-list, the generic SSH rule matches, not the one for xxx.xxx.222.186.

so i first removed the generic ssh access-list, so the one for the outside interfaces comes first, then readded it. the hitcount goes up for that access-list, still i get a connection timed out (different SSH Clients). the debugging log also spits out the same as usual. debug ssh doesn't show anything either...

Emanuel

--
the router thought it was a printer

 

[bwilliam13]

Dunno what to tell you. That config works on our PIX for every machine that connects with a client that supports SSH version 1.

 

[BuckWeet]

I've tried what you're saying, and have never gotten it to work. I'm just wondering if its possible on 6.x...

BuckWeet

 

[bwilliam13]

Just wanna double-check. You created the certificate and saved it...correct?

 

[tbissett]

...And one more shot-in-the-dark: Have you checked that the date and time of your firewall are correct? If not, set it to the correct time/date then regenerate the certificate with:
ca zeroize rsa
ca save all
ca gen rsa key 1024
ca save all

 

[enacht]

yes, I created the certificate.
yes, the date and time is correct, maybe a few seconds off, set the clock according to nntpdate when I set it up.

I guess I wouldn't even be able to SSH in from the DMZ if the date/time was wrong and the cert wasn't saved?

--
the router thought it was a printer

 

[yizhar]

HI.

Regarding "enact" post dated Jun 24, 2003:
> static (inside,outside) interface 192.168.0.2
> okay, i removed that line, write mem.
> and the syslog still says the same
> Jun 24 10:47:42 xxx.xxx.xxx.xxx PIX-6-302001: Built inbound TCP connection 7389458 for faddr xxx.xxx.90.29/34487 gaddr xxx.xxx.222.186/22 laddr 192.168.0.2/22

As you can see above, the change did not take effect.

After changing translation rules, you should issue the command:
clear xlate
Or reload the pix.


Regarding bwilliam13 post dated Jun 25, 2003:
> Very simply...two lines:
> access-list outside_access_in permit tcp any host xxx.xxx.222.186 eq 22

The access-list is not needed.
Traffic to the pix itself like SSH does not need an ACL to open the port, only the "SSH" command.

> ssh 0.0.0.0 0.0.0.0 outside
This is good for testing, but I recommend that after you solve the problem, you limit SSH access to only specific IP addresses:
ssh x.x.x.x 255.255.255.255 outside

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[enacht]

yup, that did it!
after the clear xlate i got SSH to the outside interface working. Thanks alot Yizhar!

Should've realised this myself I guess, but was just too stubborn to see it

Emanuel

--
the router thought it was a printer