|
Question : Help me understand a request for remote access ...
|
|
I have been asked by a support company to give them access to our network - but I don't understand exactly what it is they are asking for I am guessing it something to do with port 22 and the IP numbers ?
"In order for us to better troubleshoot this issue we will require remote management of the Email Security ( web management and credentials ) and port 22 TCP from: 212.203.4.18 213.84.204.56 80.96.203.116 193.138.194.140 82.161.98.20 67.115.118.5 "
|
Answer : Help me understand a request for remote access ...
|
|
Ok - so for starters you need to know if you have any outside addresses you can use for this new service. See the line in your config:
static (inside,outside) 212.115.52.54 10.44.0.199 netmask 255.255.255.255 0 0
That is creating a mapping from inside to outside from your private ip address to a public one. You would need to add another line just like this for the IP on the inside you want to get to and the address on the outside that they will contact. 212.115.52.53 might be available.
The second thing is an access list to permit the traffic. You are already doing this for mail so you just need to build on that. Here is the access list being applied:
access-group mail in interface outside
Don't need to change that line. The access list itself is:
access-list mail permit tcp any host 212.115.52.54 eq smtp
All you need to do is add the lines to permit the traffic they need:
access-list mail permit tcp host 212.203.4.18 host 212.115.52.53 eq 22
This would allow their host 212.203.4.18 to get to your new NAT 212.115.52.53 (assuming you used that address) on port 22 SSH. Repeat this times however many hosts they need as sources and ports they want to use. It isn't clear if they want port 80 access for example, but you would have to replicate the whole list for any other ports.
Good luck,
Jason
PS. ASDM is the Pix GUI interface in the new versions of code. I'd say that pix is due for a software update at the least.
|
|
|
|
