SSH via port 443 forwarding on Cisco PIX 515

Discussion in 'Networking & Security' started by `danny, May 12, 2008.

  1. `danny

    `danny Limp Gawd

    Messages:
    384
    Joined:
    Feb 26, 2007
    I recently setup FreeSSHD on a server that resides behind a Cisco PIX 515 firewall running PIX IOS 6.3 I am trying to configure the firewall so that I can forward SSH traffic on port 443 so I can SSH to my server remotely. I am a noob to Cisco hardware so any help would be greatly appreciated. Here is my config:

    Code:
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 intf2 security4
    enable password xxxx encrypted
    passwd xxxx encrypted
    hostname BurklandPIX
    domain-name BurklandLAN
    clock timezone CST -6
    clock summer-time CDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.1.151 Danny-PC
    name 192.168.1.5 WRT54GL
    access-list outside-to-inside permit tcp any interface outside eq https
    pager lines 24
    logging on
    logging history informational
    icmp deny any outside
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    ip address outside dhcp setroute
    ip address inside 192.168.1.1 255.255.255.0
    no ip address intf2
    ip verify reverse-path interface outside
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address intf2
    pdm location 10.192.168.152 255.255.255.255 inside
    pdm location 10.192.168.176 255.255.255.240 outside
    pdm location 75.73.115.143 255.255.255.255 outside
    pdm location 192.168.1.11 255.255.255.255 inside
    pdm location 192.168.1.152 255.255.255.255 inside
    pdm location WRT54GL 255.255.255.255 inside
    pdm location Danny-PC 255.255.255.255 inside
    pdm logging emergencies 100
    pdm history enable
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface https 192.168.1.152 https netmask 255.255.255.255 0 0
    access-group outside-to-inside in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.11 255.255.255.255 inside
    snmp-server host inside 192.168.1.152
    snmp-server location BurklandLAN
    snmp-server contact Dan
    snmp-server community BurklandLANRO
    snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    isakmp enable outside
    telnet timeout 5
    ssh timeout 30
    console timeout 0
    dhcpd address 192.168.1.20-192.168.1.50 inside
    dhcpd dns 192.168.1.152 208.67.220.220
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
     
  2. berky

    berky 2[H]4U

    Messages:
    2,233
    Joined:
    Aug 28, 2001
    not sure what exactly your asking...

    is the server listening on port 443 or 22?

    and why do you want to use 443? is another firewall blocking 22? can't you tell the server to listen on port 22 and then just set up a rule to allow 22 through?

    either way, i see you have private ip space on the inside, so you will need a NAT (PAT, actually) rule to configure what soho routers call 'port forwarding'.
     
  3. `danny

    `danny Limp Gawd

    Messages:
    384
    Joined:
    Feb 26, 2007
    The server is listening on port 443 and I can connect to it internally but my friends or anybody else cannot connect to it from outside my LAN. I have it setup for 443 so I can securely access my computer at school where only ports 80 & 443 are open. I forget a lot of things and having backup in case I need a file or two helps out tremendously.
     
  4. berky

    berky 2[H]4U

    Messages:
    2,233
    Joined:
    Aug 28, 2001
    if that's the case, then all you need to do is set up a nat rule for your outside IP address with a destination port of 443 being NATed to your internal IP address. i dont' know the syntax offhand, but i'm sure you can find it on cisco's site as a configuration guide.

    then you just set your client software (putty or whatever) to use the SSH protocol on port 443 instead of 22.
     
  5. `danny

    `danny Limp Gawd

    Messages:
    384
    Joined:
    Feb 26, 2007
    Still doesn't work :(
     
  6. =ACID RAIN=

    =ACID RAIN= Limp Gawd

    Messages:
    146
    Joined:
    May 4, 2008
    Interesting how the commands are just a little different between my 1841 and your pix.

    I can look over my commands, but it looks like it's going to be a little different between the pix and 1841 IOS versions. You may not need NAT though, just an extended access list, but you'll have to append it to any current one on the interface in question because I'm pretty sure you can only run one ACL to a given interface.

    Assuming you have a fixed IP range that you know, and it varies only within the last octet:
    This also assumes the university NATs the workstations out to a public IP, which they may not. If not and you are behind a private LAN with one IP to the world, then just fix it on one IP by "{university_range_IPs} 0.0.0.0" (no quotes and no brackets, fill them in. 0.0.0.0 means THAT IP ONLY). There are other ways of designating one host, but this is sticking to one method for simplicity.

    For my IOS version:
    access-list 101 permit {university_range_IPs} 0.0.0.255 eq 443 {your_internal_IP_for_SSH} 0.0.0.0 eq 443

    Bear in mind that using this method, you could also use internal port 22 if you wanted to.

    Hack this into the syntax for your ACLs and add it to your current rules. Your syntax is different enough that I am not capable of this yet. then apply it all to the given interface. Make a backup in case it hoses LOL. Don't copy run start until you've tested this haha.
     
  7. `danny

    `danny Limp Gawd

    Messages:
    384
    Joined:
    Feb 26, 2007
    I actually don't have a fixed IP range, I have Comcast which means I only have 1 DHCP assigned IP address. I want to be able to SSH home no matter where I am so I don't want to limit it to just my school's IP range.
     
  8. =ACID RAIN=

    =ACID RAIN= Limp Gawd

    Messages:
    146
    Joined:
    May 4, 2008
    Ok, but you'll be leaving the port WIDE open. Just FYI.

    I found an option I forgot on the last one too, so this has the right parameters.

    access-list 101 permit tcp any eq 443 {your_internal_IP_for_SSH} 0.0.0.0 eq 443
    Now apply that as before, and I forgot to mention before (assuming you know this already) apply it in for incoming.

    If you are trying to translate this to pix syntax and need to see what options you have for your command, just type in a partial command with a question mark:
    access-list ?
    That will give you a list of parameters available for what you have typed in.
     
  9. `danny

    `danny Limp Gawd

    Messages:
    384
    Joined:
    Feb 26, 2007
    Still a no go ugh this is so frigging frustrating lol
     
  10. =ACID RAIN=

    =ACID RAIN= Limp Gawd

    Messages:
    146
    Joined:
    May 4, 2008
    LMAO.

    Well it won't be a direct copy and paste. How well do you know the syntax of your firewall?
     
  11. `danny

    `danny Limp Gawd

    Messages:
    384
    Joined:
    Feb 26, 2007
    I know it's not a direct copy and paste, since I created the access group outside-to-inside with the command
    Code:
    access-group outside-to-inside in interface outside
    my ACL command I entered was
    Code:
    access-list outside-to-inside permit tcp any eq 443 192.168.1.152 eq 443
    192.169.1.152 is the IP of my SSH server on my LAN
     
  12. Rabidfox

    Rabidfox Limp Gawd

    Messages:
    282
    Joined:
    Oct 6, 2005
    no static (inside,outside) tcp interface https 192.168.1.152 https netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface https 192.168.1.152 ssh netmask 255.255.255.255 0 0

    you original acl was correct, the one right above my post is wrong. You want to allow https from any to the interface on https, ACL's take place before NAT's in the order of operations.
    clear xlate after you apply that static
     
  13. Rabidfox

    Rabidfox Limp Gawd

    Messages:
    282
    Joined:
    Oct 6, 2005
    oh, woops, I didn't realize that the server inside was listening on https. Other than that, I don't know, I bet the server isn't allowing connections from outside IP's. do a "show access-list outside-to-inside" to see if you can increment hits. All you need is a static and an ACL and the pix will pass the traffic. If you're dicking around with it too much, yo umight need to clear xlate and clear conn.
     
  14. `danny

    `danny Limp Gawd

    Messages:
    384
    Joined:
    Feb 26, 2007
    Yes it finally works!!! After applying the static and entering in clear xlate fixed the issue. Thanks again guys for all the help!!!
     
  15. Rabidfox

    Rabidfox Limp Gawd

    Messages:
    282
    Joined:
    Oct 6, 2005
    wr mem or you'll be sorry :D
     
  16. =ACID RAIN=

    =ACID RAIN= Limp Gawd

    Messages:
    146
    Joined:
    May 4, 2008
    Glad you got it working :)

    The pix is different in its command structure. I need to learn the differences.
     
  17. Rabidfox

    Rabidfox Limp Gawd

    Messages:
    282
    Joined:
    Oct 6, 2005
    http://www.cisco.com/univercd/home/home.htm

    select security. Read up on the ASA (adaptive security algorithm), PIX/ASA is far from you average IOS device. You need to know how it processes traffic to configure it. The Modular Policy Framework is really what makes it shine, have fun!
     
  18. =ACID RAIN=

    =ACID RAIN= Limp Gawd

    Messages:
    146
    Joined:
    May 4, 2008
    Thanks man! Bookmarked :D