SSH via port 443 forwarding on Cisco PIX 515

D

`danny

Limp Gawd
Joined
Feb 26, 2007
Messages
384
I recently setup FreeSSHD on a server that resides behind a Cisco PIX 515 firewall running PIX IOS 6.3 I am trying to configure the firewall so that I can forward SSH traffic on port 443 so I can SSH to my server remotely. I am a noob to Cisco hardware so any help would be greatly appreciated. Here is my config:

Code: 
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password xxxx encrypted
passwd xxxx encrypted
hostname BurklandPIX
domain-name BurklandLAN
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.151 Danny-PC
name 192.168.1.5 WRT54GL
access-list outside-to-inside permit tcp any interface outside eq https
pager lines 24
logging on
logging history informational
icmp deny any outside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
no ip address intf2
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
pdm location 10.192.168.152 255.255.255.255 inside
pdm location 10.192.168.176 255.255.255.240 outside
pdm location 75.73.115.143 255.255.255.255 outside
pdm location 192.168.1.11 255.255.255.255 inside
pdm location 192.168.1.152 255.255.255.255 inside
pdm location WRT54GL 255.255.255.255 inside
pdm location Danny-PC 255.255.255.255 inside
pdm logging emergencies 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface https 192.168.1.152 https netmask 255.255.255.255 0 0
access-group outside-to-inside in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.11 255.255.255.255 inside
snmp-server host inside 192.168.1.152
snmp-server location BurklandLAN
snmp-server contact Dan
snmp-server community BurklandLANRO
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
isakmp enable outside
telnet timeout 5
ssh timeout 30
console timeout 0
dhcpd address 192.168.1.20-192.168.1.50 inside
dhcpd dns 192.168.1.152 208.67.220.220
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
 
not sure what exactly your asking...

is the server listening on port 443 or 22?

and why do you want to use 443? is another firewall blocking 22? can't you tell the server to listen on port 22 and then just set up a rule to allow 22 through?

either way, i see you have private ip space on the inside, so you will need a NAT (PAT, actually) rule to configure what soho routers call 'port forwarding'.
 
The server is listening on port 443 and I can connect to it internally but my friends or anybody else cannot connect to it from outside my LAN. I have it setup for 443 so I can securely access my computer at school where only ports 80 & 443 are open. I forget a lot of things and having backup in case I need a file or two helps out tremendously.
 
if that's the case, then all you need to do is set up a nat rule for your outside IP address with a destination port of 443 being NATed to your internal IP address. i dont' know the syntax offhand, but i'm sure you can find it on cisco's site as a configuration guide.

then you just set your client software (putty or whatever) to use the SSH protocol on port 443 instead of 22.
 
Interesting how the commands are just a little different between my 1841 and your pix.

I can look over my commands, but it looks like it's going to be a little different between the pix and 1841 IOS versions. You may not need NAT though, just an extended access list, but you'll have to append it to any current one on the interface in question because I'm pretty sure you can only run one ACL to a given interface.

Assuming you have a fixed IP range that you know, and it varies only within the last octet:
This also assumes the university NATs the workstations out to a public IP, which they may not. If not and you are behind a private LAN with one IP to the world, then just fix it on one IP by "{university_range_IPs} 0.0.0.0" (no quotes and no brackets, fill them in. 0.0.0.0 means THAT IP ONLY). There are other ways of designating one host, but this is sticking to one method for simplicity.

For my IOS version:
access-list 101 permit {university_range_IPs} 0.0.0.255 eq 443 {your_internal_IP_for_SSH} 0.0.0.0 eq 443

Bear in mind that using this method, you could also use internal port 22 if you wanted to.

Hack this into the syntax for your ACLs and add it to your current rules. Your syntax is different enough that I am not capable of this yet. then apply it all to the given interface. Make a backup in case it hoses LOL. Don't copy run start until you've tested this haha.
 
I actually don't have a fixed IP range, I have Comcast which means I only have 1 DHCP assigned IP address. I want to be able to SSH home no matter where I am so I don't want to limit it to just my school's IP range.
 
Ok, but you'll be leaving the port WIDE open. Just FYI.

I found an option I forgot on the last one too, so this has the right parameters.

access-list 101 permit tcp any eq 443 {your_internal_IP_for_SSH} 0.0.0.0 eq 443
Now apply that as before, and I forgot to mention before (assuming you know this already) apply it in for incoming.

If you are trying to translate this to pix syntax and need to see what options you have for your command, just type in a partial command with a question mark:
access-list ?
That will give you a list of parameters available for what you have typed in.
 
LMAO.

Well it won't be a direct copy and paste. How well do you know the syntax of your firewall?
 
I know it's not a direct copy and paste, since I created the access group outside-to-inside with the command
Code: 
access-group outside-to-inside in interface outside
my ACL command I entered was
Code: 
access-list outside-to-inside permit tcp any eq 443 192.168.1.152 eq 443

192.169.1.152 is the IP of my SSH server on my LAN
 
no static (inside,outside) tcp interface https 192.168.1.152 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.1.152 ssh netmask 255.255.255.255 0 0

you original acl was correct, the one right above my post is wrong. You want to allow https from any to the interface on https, ACL's take place before NAT's in the order of operations.
clear xlate after you apply that static
 
oh, woops, I didn't realize that the server inside was listening on https. Other than that, I don't know, I bet the server isn't allowing connections from outside IP's. do a "show access-list outside-to-inside" to see if you can increment hits. All you need is a static and an ACL and the pix will pass the traffic. If you're dicking around with it too much, yo umight need to clear xlate and clear conn.
 
Yes it finally works!!! After applying the static and entering in clear xlate fixed the issue. Thanks again guys for all the help!!!
 
Glad you got it working :)

The pix is different in its command structure. I need to learn the differences.
 
You must log in or register to reply here.
Back
Top