SSH or Telnet to manage internal system from outside

[blinton25]

Hello,

I need to remotely administer a linux server which is being protected by a Pix 501. I plan to use SSH but I know that port 22 is reserved for using SSH with the Pix.

Would issuing this command:

static (inside, outside) tcp 207.x.x.51 2222 192.168.1.3 22 netmask 255.255.255.255 0 0


allow me to connect to the internal linux server?

 

[AJ1982]

Absolutely, but dont forget your ACL command.

For ease, you could also change the port that the PIX SSH runs on, thats up to you.

AJ

===

AJ - (Formerly FatmanSuperstar)

 

[blinton25]

Hello,

Sorry, not a Pix guru, ACL command?

Also, how can I change the default SSH port for the Pix?

 

[blinton25]

Hello,

I issued the command:

------------------------------------------------
static (inside, outside) tcp 207.x.x.51 2222 192.168.1.3 22 netmask 255.255.255.255 0 0
-------------------------------------------------
and got an error:

-------------------------------------------------
duplicate of existing static.
-------------------------------------------------

My configuration file looks like:

-------------------------------------------------
write terminal

Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 4P4Lpmgzv5cZL7lu encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PC1

domain-name mydomain.com
fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25



fixup protocol sqlnet 1521



fixup protocol tftp 69



names



access-list 101 permit tcp any host 207.x.x.51 eq domain log



access-list 101 permit udp any host 207.x.x.51 eq domain log



access-list 101 permit tcp any host 207.x.x.51 eq

http://www log

access-list 101 permit icmp any any echo-reply log



access-list 101 permit icmp any any echo log



pager lines 24



logging on



logging timestamp



logging buffered debugging



mtu outside 1500



mtu inside 1500



ip address outside 207.x.x.50 255.255.255.248



ip address inside 192.168.1.1 255.255.255.0



ip audit info action alarm



ip audit attack action alarm



pdm location 192.168.1.3 255.255.255.255 inside



pdm location 192.168.1.4 255.255.255.255 inside



pdm location 192.168.1.6 255.255.255.255 inside



pdm logging informational 100



pdm history enable



arp timeout 14400



nat (inside) 1 0.0.0.0 0.0.0.0 0 0



static (inside,outside) tcp 207.x.x.51 domain 192.168.1.3 domain netmask 255.255.255.255 0 0



static (inside,outside) udp 207.x.x.51 domain 192.168.1.3 domain netmask 255.255.255.255 0 0



static (inside,outside) tcp 207.x.x.51

http://www 192.168.1.3

http://www netmask

255.255.255.255 0 0



static (inside,outside) tcp 207.x.x.52 domain 192.168.1.4 domain netmask 255.255.255.255 0 0



static (inside,outside) udp 207.x.x.52 domain 192.168.1.4 domain netmask 255.255.255.255 0 0



static (inside,outside) tcp 207.x.x.52

http://www 192.168.1.4

http://www netmask

255.255.255.255 0 0



static (inside,outside) tcp 207.x.x.51 domain 192.168.1.6 domain netmask 255.255.255.255 0 0



static (inside,outside) udp 207.x.x.53 domain 192.168.1.6 domain netmask 255.255.255.255 0 0



static (inside,outside) tcp 207.x.x.53

http://www 192.168.1.6

http://www netmask

255.255.255.255 0 0



static (inside,outside) 207.x.x.51 192.168.1.3 netmask 255.255.255.255 0 0



static (inside,outside) 207.x.x.52 192.168.1.4 netmask 255.255.255.255 0 0



static (inside,outside) 207.x.x.53 192.168.1.6 netmask 255.255.255.255 0 0



access-group 101 in interface outside



route outside 0.0.0.0 0.0.0.0 207.x.x.50 1



timeout xlate 0:05:00



timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00



timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00



timeout sip-disconnect 0:02:00 sip-invite 0:03:00



timeout uauth 0:05:00 absolute



aaa-server TACACS+ protocol tacacs+



aaa-server TACACS+ max-failed-attempts 3



aaa-server TACACS+ deadtime 10



aaa-server RADIUS protocol radius



aaa-server RADIUS max-failed-attempts 3



aaa-server RADIUS deadtime 10



aaa-server LOCAL protocol local



http server enable



http 192.168.1.0 255.255.255.0 inside



no snmp-server location



no snmp-server contact



snmp-server community public



no snmp-server enable traps



floodguard enable



telnet timeout 5



ssh timeout 5



console timeout 0



dhcpd address 192.168.1.2-192.168.1.32 inside



dhcpd lease 3600



dhcpd ping_timeout 750



dhcpd auto_config outside



dhcpd enable inside



terminal width 80



Cryptochecksum:4859eba3792223084d62bf67bf0fffd7



: end



[OK]


PC1#
-------------------------------------------------

 

[blinton25]

Hello,

I changed the default port to get around the problem of the shared port 22. I would still like to know how to change the default port on the pix though, good obfuscation technique