1. Home
  2. Cisco Systems
  3. how to configure pix for inbound connections to 2 different ssh servers

how to configure pix for inbound connections to 2 different ssh servers

This is a newbie question I realize. How would I configure pix to accept connections to a second ssh server from a specific source computer. We have an existing ssh server setup with this:

access-list outside_access_in permit tcp any host 192.168.6.10 eq ssh.

If I want to host a second ssh server in our lan and be able to connect to it from a specific external computer would I simply do this:

access-list outside_access_in permit tcp host "ip_addrss of external computer" host "ip_address_of_internal_computer" eq ssh.

We have one external static IP. It seems like the previous access list entries would not work because how would the pix no not to send all ssh requests to the first ssh server? Also after I create a new access list do I need to type the access-group command even if it is already there for the same outside_access_in name? Thanks

Reply to
tilopa
Loading thread data ...

If you only have 1 external you need to use PAT and a different port other than 22. You can only have one NAT/PAT statement using the same source and destination port.

The ACL statement you showed is not correct. That is not what is permiting your SSH, there needs to be another statement. That statement would allow SSH to 192.168.6.10, the public does not connect to that IP, they have no idea about it, they connect to your public IP. There is most likely a statement in there permit tcp any any eq 22.

To make this work you will need to add another static as well as an acl entry.

static (inside,outside) tcp interface 222 192.168.6.x 22 netmask

255.255.255.255 access-list outside permit tcp any any eq 222

When you SSH to the new device you will always need to specify the port. I simply picked 222 above, you can use anything you want.

old device: ssh A.B.C.D new device: ssh A.B.C.D:222

Reply to
Brian V

Brian,

Sorry abou the delay in response, and thanks for your input. Your right, looking at it more closely it is a public IP for the ACL. Like you say what I needed was:

access-list outside_access_in permit tcp any host "public ip of outside int" 222 access-group outside_access_in in interface outside

static (inside,outside) tcp "public ip of outside int" 222 192.168.6.10

22 netmask 255.255.255.255 0 0

That worked. Thanks for you help

Reply to
tilopa

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.