https://live.paloaltonetworks.com/t5/general-topics/ssh-config/m-p/48711#M35868 <HTML><HEAD></HEAD><BODY><P>I need to allow a one time SSH connection from the Internet to my LAN for the configuration of a device. So far I have created an SSH service and security policy, allowing any device to connect to the external I.P. address of my PAN. I have also created a NAT rule pointing my Internet facing I.P. address to the devices' I.P. address. When I try to test this configuration using putty, the log shows the connection as "drop". </P><P>Am I missing a configuration step somewhere?</P><P></P><P>Thanks</P></BODY></HTML> Tue, 04 Sep 2012 19:07:33 GMT kuntzelectroplating 2012-09-04T19:07:33Z https://live.paloaltonetworks.com/t5/general-topics/ssh-config/m-p/48711#M35868 <HTML><HEAD></HEAD><BODY><P>I need to allow a one time SSH connection from the Internet to my LAN for the configuration of a device. So far I have created an SSH service and security policy, allowing any device to connect to the external I.P. address of my PAN. I have also created a NAT rule pointing my Internet facing I.P. address to the devices' I.P. address. When I try to test this configuration using putty, the log shows the connection as "drop". </P><P>Am I missing a configuration step somewhere?</P><P></P><P>Thanks</P></BODY></HTML> Tue, 04 Sep 2012 19:07:33 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-config/m-p/48711#M35868 kuntzelectroplating 2012-09-04T19:07:33Z https://live.paloaltonetworks.com/t5/general-topics/ssh-config/m-p/48712#M35869 <HTML><HEAD></HEAD><BODY><P>Please check if you have Interface managment profile configured, allowing ssh service and have this profile associated with the desired interface .</P><P>Refer:&nbsp; <A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-2998">https://live.paloaltonetworks.com/docs/DOC-2998</A></P></BODY></HTML> Tue, 04 Sep 2012 20:22:03 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-config/m-p/48712#M35869 UhMayYeah 2012-09-04T20:22:03Z https://live.paloaltonetworks.com/t5/general-topics/ssh-config/m-p/48713#M35870 <HTML><HEAD></HEAD><BODY><P>That depends if the device is a PA or not.</P><P></P><P>The PA who will be managed must have ssh enabled in a mgmtprofile and that mgmtprofile attached to proper interface as Ameya said.</P><P></P><P>However if its some other device but have a PA as a firewall you could first try without ssh-termination:</P><P></P><P>1) Create NAT.</P><P>2) Create security policy who will allow incoming SSH connection (to be forwarded to the device that will be managed).</P><P></P><P>then when above works you can add the SSH-termination (decrypt rule) aswell.</P><P></P><P>Regarding NAT and security policy this is what you would need to do:</P><P></P><P>NAT:</P><P></P><P>Original packet src zone: untrusted</P><P>Original packet dst zone: trusted</P><P>Original packet dst int: eth1/1</P><P>Original packet src address: &lt;ip or range of the ssh client&gt;</P><P>Original packet dst address: &lt;ip the client will connect to&gt;</P><P>Original packet service: TCP22</P><P>Translated packet dst: &lt;ip of the device to be managed on the inside&gt;</P><P></P><P>Security policy:</P><P></P><P>src zone: untrust</P><P>src address: &lt;ip or range of the ssh client&gt;</P><P>src user: any</P><P>src hip: any</P><P>dst zone: trust</P><P>dst address: &lt;ip the client will connect to&gt;</P><P>application: ssh</P><P>service: TCP22</P><P></P><P>The thing(s) to remember when creating security policies for NATed traffic is:</P><P></P><P>src zone: zone the original packet comes from</P><P>dst zone: zone the translated packet will go to</P><P>dst address: dst ip address the original packet had</P><P></P><P>Edit: I think I was incorrect regarding "Original packet dst zone" in this case. It should read untrusted because the ip the client is connected to is the ip of the untrusted interface of PA.</P></BODY></HTML> Wed, 05 Sep 2012 08:47:22 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-config/m-p/48713#M35870 mikand 2012-09-05T08:47:22Z https://live.paloaltonetworks.com/t5/general-topics/ssh-config/m-p/48714#M35871 <HTML><HEAD></HEAD><BODY><P>Thanks the replies.</P><P>Mikand: following your steps I was able to see that I missed a step. SSH is working perfectly now.</P></BODY></HTML> Wed, 05 Sep 2012 17:48:31 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-config/m-p/48714#M35871 kuntzelectroplating 2012-09-05T17:48:31Z