Cisco PIX Firewall Version 6.3(5)

Question

I am unable to ssh to any servers. I've exhausted every possible thing except the corporate firewall. Its an old cisco pix firewall.

[model]

Cisco PIX 501

I'm trying to figure out

1) how to temporarily disable it to prove that it is indeed the issue.

2) how to let port 22 go through (ssh) as my ssh requests never hit the intended servers.

I've tried a few things with it, but i'm not a hardware guy. so any help would be great.

partial configuration

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names         
object-group service ssh tcp 
  port-object range ssh ssh 
access-list acl_in permit udp any any eq domain 
access-list acl_in permit icmp any any 
access-list acl_in permit tcp any any eq www 
access-list acl_in permit tcp any any eq pop3 
access-list acl_in permit tcp any any eq smtp 
access-list acl_in permit tcp any any eq https 
access-list acl_in permit tcp any any eq 3389 
access-list acl_in permit tcp any any eq ftp 
access-list acl_in permit tcp any any eq ftp-data 
access-list acl_in permit ip xxx 255.255.255.0 xxx 255.255.255.0 
access-list acl_in permit tcp any any eq 8080 
access-list acl_in permit udp any any eq ntp 
access-list acl_in permit tcp any any eq 123 
access-list acl_in permit tcp any any range 6881 6999 
access-list acl_in permit tcp any any eq 9090 
access-list acl_in permit tcp any any eq 9100 
access-list acl_in permit tcp any any eq 2083 
access-list acl_in permit tcp any any eq 6100 
access-list acl_in permit udp any any eq 6100 
access-list acl_in permit udp any any eq 9675 
access-list acl_in permit tcp any any eq 9675 
access-list acl_in permit tcp any any eq 1935 
access-list acl_in permit tcp any any eq 563 
access-list acl_in permit tcp any any eq 56065 
access-list acl_in permit tcp any any eq 8100 
access-list acl_in permit tcp any any eq 5001 
access-list acl_in permit tcp any eq ssh any log 
access-list acl_out permit icmp any any 
access-list acl_out permit tcp any host xxx eq https 
access-list acl_out permit tcp any host xxx eq smtp 
access-list acl_out permit tcp any host xxx eq pop3 
access-list acl_out permit tcp any any eq www 
access-list acl_out permit tcp any any range 6881 6999 
access-list acl_out permit tcp any any eq 9090 
access-list acl_out permit tcp any host xxx eq 10000 
access-list acl_out permit tcp any any eq ssh

...

ssh xx.xx.xxx.xxx 255.255.255.255 outside
ssh xx.xxx.xxx.xxx 255.255.255.255 outside
ssh timeout 60

When did your problem start? Please provide the sanitized configuration of your Pix firewall. Also, have you rebooted it? ;) — ewwhite, Oct 16 '14 at 16:51
I just started at this place and the first time I ssh'd it didn't work. I don't know how to get those configurations at the moment, and I did reboot it. — naturalc, Oct 16 '14 at 17:05

ewwhite · Answer 1 · 2014-10-17T12:52:15.253

0

In order to allow SSH outbound, an explicit rule will need to be added to the configuration. The access-lists that you show above in your configuration shows something a bit odd...

You may need to add:

access-list acl_out permit tcp any any eq ssh

Please try and report back.

Edit, what troubleshooting steps have you tried? Are you attempting to connect to known-reachable servers? The full configuration for context would be helpful.

edited Oct 17 '14 at 12:52

answered Oct 16 '14 at 17:30

ewwhite

197,159
92
443
809

ok, i telnetted in, enabled and did conf t, and typed in the above. do I need to save somehow or reboot? if not, it still doesn't work. – naturalc Oct 16 '14 at 19:18
You may want to remove the bad entry...`no access-list acl_out permit tcp any eq ssh any ` – ewwhite Oct 16 '14 at 19:23
unfortunately still a no go - i updated the config to reflect this change also, i added a couple other lines that i see on the end of the rules about ssh – naturalc Oct 16 '14 at 20:20
@naturalc The ssh lines at the end are about allowing SSH access to the Pix's management interface. Which Cisco Pix model is this? – ewwhite Oct 17 '14 at 12:50
model added to question – naturalc Oct 17 '14 at 18:36
yes i've tried connecting to ones that I know are connectable. if I take the computer home I can connect to anything as well. the only thing I haven't tried is disabling the firewall, not sure how to do that, so I haven't. We have our phone lines running through as well, so I can't just "take it out" I have to disable it. I'm not sure what you mean by the full configuration? – naturalc Oct 20 '14 at 12:41

Cisco PIX Firewall Version 6.3(5)

1 Answers1