09-04-2012 12:07 PM
I need to allow a one time SSH connection from the Internet to my LAN for the configuration of a device. So far I have created an SSH service and security policy, allowing any device to connect to the external I.P. address of my PAN. I have also created a NAT rule pointing my Internet facing I.P. address to the devices' I.P. address. When I try to test this configuration using putty, the log shows the connection as "drop".
Am I missing a configuration step somewhere?
Thanks
09-05-2012 01:47 AM
That depends if the device is a PA or not.
The PA who will be managed must have ssh enabled in a mgmtprofile and that mgmtprofile attached to proper interface as Ameya said.
However if its some other device but have a PA as a firewall you could first try without ssh-termination:
1) Create NAT.
2) Create security policy who will allow incoming SSH connection (to be forwarded to the device that will be managed).
then when above works you can add the SSH-termination (decrypt rule) aswell.
Regarding NAT and security policy this is what you would need to do:
NAT:
Original packet src zone: untrusted
Original packet dst zone: trusted
Original packet dst int: eth1/1
Original packet src address: <ip or range of the ssh client>
Original packet dst address: <ip the client will connect to>
Original packet service: TCP22
Translated packet dst: <ip of the device to be managed on the inside>
Security policy:
src zone: untrust
src address: <ip or range of the ssh client>
src user: any
src hip: any
dst zone: trust
dst address: <ip the client will connect to>
application: ssh
service: TCP22
The thing(s) to remember when creating security policies for NATed traffic is:
src zone: zone the original packet comes from
dst zone: zone the translated packet will go to
dst address: dst ip address the original packet had
Edit: I think I was incorrect regarding "Original packet dst zone" in this case. It should read untrusted because the ip the client is connected to is the ip of the untrusted interface of PA.
09-04-2012 01:22 PM
Please check if you have Interface managment profile configured, allowing ssh service and have this profile associated with the desired interface .
09-05-2012 01:47 AM
That depends if the device is a PA or not.
The PA who will be managed must have ssh enabled in a mgmtprofile and that mgmtprofile attached to proper interface as Ameya said.
However if its some other device but have a PA as a firewall you could first try without ssh-termination:
1) Create NAT.
2) Create security policy who will allow incoming SSH connection (to be forwarded to the device that will be managed).
then when above works you can add the SSH-termination (decrypt rule) aswell.
Regarding NAT and security policy this is what you would need to do:
NAT:
Original packet src zone: untrusted
Original packet dst zone: trusted
Original packet dst int: eth1/1
Original packet src address: <ip or range of the ssh client>
Original packet dst address: <ip the client will connect to>
Original packet service: TCP22
Translated packet dst: <ip of the device to be managed on the inside>
Security policy:
src zone: untrust
src address: <ip or range of the ssh client>
src user: any
src hip: any
dst zone: trust
dst address: <ip the client will connect to>
application: ssh
service: TCP22
The thing(s) to remember when creating security policies for NATed traffic is:
src zone: zone the original packet comes from
dst zone: zone the translated packet will go to
dst address: dst ip address the original packet had
Edit: I think I was incorrect regarding "Original packet dst zone" in this case. It should read untrusted because the ip the client is connected to is the ip of the untrusted interface of PA.
09-05-2012 10:48 AM
Thanks the replies.
Mikand: following your steps I was able to see that I missed a step. SSH is working perfectly now.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
