SSH Config

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSH Config

I need to allow a one time SSH connection from the Internet to my LAN for the configuration of a device. So far I have created an SSH service and security policy, allowing any device to connect to the external I.P. address of my PAN. I have also created a NAT rule pointing my Internet facing I.P. address to the devices' I.P. address. When I try to test this configuration using putty, the log shows the connection as "drop".

Am I missing a configuration step somewhere?

Thanks

1 accepted solution

Accepted Solutions

That depends if the device is a PA or not.

The PA who will be managed must have ssh enabled in a mgmtprofile and that mgmtprofile attached to proper interface as Ameya said.

However if its some other device but have a PA as a firewall you could first try without ssh-termination:

1) Create NAT.

2) Create security policy who will allow incoming SSH connection (to be forwarded to the device that will be managed).

then when above works you can add the SSH-termination (decrypt rule) aswell.

Regarding NAT and security policy this is what you would need to do:

NAT:

Original packet src zone: untrusted

Original packet dst zone: trusted

Original packet dst int: eth1/1

Original packet src address: <ip or range of the ssh client>

Original packet dst address: <ip the client will connect to>

Original packet service: TCP22

Translated packet dst: <ip of the device to be managed on the inside>

Security policy:

src zone: untrust

src address: <ip or range of the ssh client>

src user: any

src hip: any

dst zone: trust

dst address: <ip the client will connect to>

application: ssh

service: TCP22

The thing(s) to remember when creating security policies for NATed traffic is:

src zone: zone the original packet comes from

dst zone: zone the translated packet will go to

dst address: dst ip address the original packet had

Edit: I think I was incorrect regarding "Original packet dst zone" in this case. It should read untrusted because the ip the client is connected to is the ip of the untrusted interface of PA.

View solution in original post

3 REPLIES 3

L5 Sessionator

Please check if you have Interface managment profile configured, allowing ssh service and have this profile associated with the desired interface .

Refer:  https://live.paloaltonetworks.com/docs/DOC-2998

That depends if the device is a PA or not.

The PA who will be managed must have ssh enabled in a mgmtprofile and that mgmtprofile attached to proper interface as Ameya said.

However if its some other device but have a PA as a firewall you could first try without ssh-termination:

1) Create NAT.

2) Create security policy who will allow incoming SSH connection (to be forwarded to the device that will be managed).

then when above works you can add the SSH-termination (decrypt rule) aswell.

Regarding NAT and security policy this is what you would need to do:

NAT:

Original packet src zone: untrusted

Original packet dst zone: trusted

Original packet dst int: eth1/1

Original packet src address: <ip or range of the ssh client>

Original packet dst address: <ip the client will connect to>

Original packet service: TCP22

Translated packet dst: <ip of the device to be managed on the inside>

Security policy:

src zone: untrust

src address: <ip or range of the ssh client>

src user: any

src hip: any

dst zone: trust

dst address: <ip the client will connect to>

application: ssh

service: TCP22

The thing(s) to remember when creating security policies for NATed traffic is:

src zone: zone the original packet comes from

dst zone: zone the translated packet will go to

dst address: dst ip address the original packet had

Edit: I think I was incorrect regarding "Original packet dst zone" in this case. It should read untrusted because the ip the client is connected to is the ip of the untrusted interface of PA.

Thanks the replies.

Mikand: following your steps I was able to see that I missed a step. SSH is working perfectly now.

  • 1 accepted solution
  • 2461 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!