SSH into outside int

Discussion in 'Cisco' started by Ants, Dec 1, 2004.

  1. Ants

    Ants Guest

    hi,
    have a cisco router internet facing and a pix behind it on the lan...
    i am having difficulties ssh into the pix (from externa office site
    via www) outside int which has a private ip.

    www-----*rtr**------**pix***----lan

    * external facing ip
    ** both private 10.10.10.x addresses
    *** priv 192.168.x.x

    ive created rsa key etc.. no luck.
    added ssh 0.0.0.0 0.0.0.0 outside

    do i need to nat my ext remote office's ip to the inside of my RTR?
    thanks
     
    Ants, Dec 1, 2004
    #1
    1. Advertising

  2. In article <>,
    Ants <> wrote:
    :have a cisco router internet facing and a pix behind it on the lan...
    :i am having difficulties ssh into the pix (from externa office site
    :via www) outside int which has a private ip.

    :www-----*rtr**------**pix***----lan

    :* external facing ip
    :** both private 10.10.10.x addresses

    :ive created rsa key etc.. no luck.
    :added ssh 0.0.0.0 0.0.0.0 outside

    :do i need to nat my ext remote office's ip to the inside of my RTR?

    You need to ip nat static tcp port 22 (ssh) of your external IP
    into tcp port 22 of the private outside IP of the PIX.
    --
    Would you buy a used bit from this man??
     
    Walter Roberson, Dec 1, 2004
    #2
    1. Advertising

  3. Ants

    John Smith Guest

    are you double NAT'ing? both at the router and pix?
    this is a bit off topic, but make sure you aren't double NATing.

    "Ants" <> wrote in message
    news:...
    > hi,
    > have a cisco router internet facing and a pix behind it on the lan...
    > i am having difficulties ssh into the pix (from externa office site
    > via www) outside int which has a private ip.
    >
    > www-----*rtr**------**pix***----lan
    >
    > * external facing ip
    > ** both private 10.10.10.x addresses
    > *** priv 192.168.x.x
    >
    > ive created rsa key etc.. no luck.
    > added ssh 0.0.0.0 0.0.0.0 outside
    >
    > do i need to nat my ext remote office's ip to the inside of my RTR?
    > thanks
     
    John Smith, Dec 2, 2004
    #3
  4. In article <>,
    John Smith <> wrote:
    :are you double NAT'ing? both at the router and pix?
    :this is a bit off topic, but make sure you aren't double NATing.

    What reasons would you give for denying double NATing? Sure in
    some cases it is unnecessary work, but if both NATing devices are
    able to handle the appropriate state inspections, then what problems
    do you foresee?

    Consider, for example, that I have a LAN on which I am using private
    IPs: partly so that I don't need to pay thousands of dollars for an
    extra /24; partly because there are some security benefits; and
    partly because internally I can use a private /16 and in so doing
    not have to *route* between local machines that happen to live
    in different public /24's.

    Now consider that I have finance people within my LAN, and the financial
    documents are more sensitive than our regular documents. The
    finance people need a firewall of their own, security in depth. Now,
    what IP address range do I use on the inside of the interior firewall?
    When answering, keep in mind that the PIX firewall cannot be operated
    as a "filter": the inside interface IP range *must* be different than
    the outside interface IP range on a PIX.
    --
    Will you ask your master if he wants to join my court at Camelot?!
     
    Walter Roberson, Dec 2, 2004
    #4
  5. Ants

    John Smith Guest

    as a general rule then, would you recommend double nat'ing, or avoiding it
    if not absolutely necessary?
    double nat'ing is not only difficult to set up correctly depending on the
    scenario but also adds unnecessary latency into the setup.

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:colqep$l0p$...
    > In article <>,
    > John Smith <> wrote:
    > :are you double NAT'ing? both at the router and pix?
    > :this is a bit off topic, but make sure you aren't double NATing.
    >
    > What reasons would you give for denying double NATing? Sure in
    > some cases it is unnecessary work, but if both NATing devices are
    > able to handle the appropriate state inspections, then what problems
    > do you foresee?
    >
    > Consider, for example, that I have a LAN on which I am using private
    > IPs: partly so that I don't need to pay thousands of dollars for an
    > extra /24; partly because there are some security benefits; and
    > partly because internally I can use a private /16 and in so doing
    > not have to *route* between local machines that happen to live
    > in different public /24's.
    >
    > Now consider that I have finance people within my LAN, and the financial
    > documents are more sensitive than our regular documents. The
    > finance people need a firewall of their own, security in depth. Now,
    > what IP address range do I use on the inside of the interior firewall?
    > When answering, keep in mind that the PIX firewall cannot be operated
    > as a "filter": the inside interface IP range *must* be different than
    > the outside interface IP range on a PIX.
    > --
    > Will you ask your master if he wants to join my court at Camelot?!
     
    John Smith, Dec 2, 2004
    #5
  6. In article <>,
    John Smith <> wrote:
    :as a general rule then, would you recommend double nat'ing, or avoiding it
    :if not absolutely necessary?
    :double nat'ing is not only difficult to set up correctly depending on the
    :scenario but also adds unnecessary latency into the setup.

    There are lots of different configuration items that can add
    "unnecessary latency", but people still use them anyhow. For example
    on some of the Cisco architectures (perhaps now all defunct),
    access-lists applied "out" on an interface were much more efficient
    than access-lists applied "in" on the same interface.

    People often turn on (or leave enabled) features that require process
    switching for at least some of the packets. Unnecessary latency is
    rampant in the business... and it sometimes takes rather a lot
    of digging and experimentation to figure out what latencies one
    can remove while still implimenting the necessary functionality.

    I've probably lost track of which thread is which again, but I
    seem to recall that the PIX the OP has is a 501 or perhaps 515,
    which aren't exactly paragons of low latency and high throughput.

    As is the case for many topologies, double-NAT'ing is a tradeoff
    that needs to be evaluated case-by-case against the architecture,
    security requirements, and budget of the organization. You wouldn't
    go and deliberately impliment it just to prove how clever you are,
    but it might make the most sense in a lot of smaller offices.


    A real-life example that has cropped up here more than once is
    that if one has an exiting 501 protecting one's main network
    an one has a small subgroup that needs extra protections,
    then it can make financial sense to impliment the inner
    protections with a second 501 instead of upgrading to
    a 506E with 6.3(4) and using the new logical interface feature
    on it [which requires the cooperation of 802.1Q compliant switches),
    or of upgrading to a 515E or higher in order to be able use an
    additional hardware interface.
    --
    I don't know if there's destiny,
    but there's a decision! -- Wim Wenders (WoD)
     
    Walter Roberson, Dec 2, 2004
    #6
  7. Ants

    John Smith Guest

    lets not forget that some apps are not even compatible with NAT let alone
    double NAT...
    but hey, thanks for answering your own question.


    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:conjgg$20n$...
    > In article <>,
    > John Smith <> wrote:
    > :as a general rule then, would you recommend double nat'ing, or avoiding
    > it
    > :if not absolutely necessary?
    > :double nat'ing is not only difficult to set up correctly depending on the
    > :scenario but also adds unnecessary latency into the setup.
    >
    > There are lots of different configuration items that can add
    > "unnecessary latency", but people still use them anyhow. For example
    > on some of the Cisco architectures (perhaps now all defunct),
    > access-lists applied "out" on an interface were much more efficient
    > than access-lists applied "in" on the same interface.
    >
    > People often turn on (or leave enabled) features that require process
    > switching for at least some of the packets. Unnecessary latency is
    > rampant in the business... and it sometimes takes rather a lot
    > of digging and experimentation to figure out what latencies one
    > can remove while still implimenting the necessary functionality.
    >
    > I've probably lost track of which thread is which again, but I
    > seem to recall that the PIX the OP has is a 501 or perhaps 515,
    > which aren't exactly paragons of low latency and high throughput.
    >
    > As is the case for many topologies, double-NAT'ing is a tradeoff
    > that needs to be evaluated case-by-case against the architecture,
    > security requirements, and budget of the organization. You wouldn't
    > go and deliberately impliment it just to prove how clever you are,
    > but it might make the most sense in a lot of smaller offices.
    >
    >
    > A real-life example that has cropped up here more than once is
    > that if one has an exiting 501 protecting one's main network
    > an one has a small subgroup that needs extra protections,
    > then it can make financial sense to impliment the inner
    > protections with a second 501 instead of upgrading to
    > a 506E with 6.3(4) and using the new logical interface feature
    > on it [which requires the cooperation of 802.1Q compliant switches),
    > or of upgrading to a 515E or higher in order to be able use an
    > additional hardware interface.
    > --
    > I don't know if there's destiny,
    > but there's a decision! -- Wim Wenders (WoD)
     
    John Smith, Dec 2, 2004
    #7
  8. In article <>,
    John Smith <> wrote:
    :lets not forget that some apps are not even compatible with NAT let alone
    :double NAT...

    But then your comment about being sure not to double-NAT would be
    irrelevant: if they have applications that won't survive single NAT
    then the OP would need to re-topology (e.g., get a public IP range
    routed down the existing single IP.)

    :but hey, thanks for answering your own question.

    My question, which is not yet answered, was why you said to
    "be sure" not to double-NAT. "Be sure" implies "Don't do it,
    it'll either break everything or will cause so much trouble as not
    to be worth even thinking about."

    In cases where it's a tradeoff between potential [rectifiable]
    configuration mistakes and costs or equipment or topology constraints
    about getting public IPs through to the inner security device, and
    the OP has already indicated that they know they are doing double
    NAT, then I would expect comments more along the line of "I advise
    against this for beginners", or "It is common to make subtle mistakes
    one when NAT's twice, so if it is practical I recommend you rearrange
    your network so that you are only NAT'ing once."
    --
    Ceci, ce n'est pas une idée.
     
    Walter Roberson, Dec 2, 2004
    #8
  9. Ants

    John Smith Guest

    wow, you really like to hear yourself talk, dont you?

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:conmdl$5pk$...
    > In article <>,
    > John Smith <> wrote:
    > :lets not forget that some apps are not even compatible with NAT let alone
    > :double NAT...
    >
    > But then your comment about being sure not to double-NAT would be
    > irrelevant: if they have applications that won't survive single NAT
    > then the OP would need to re-topology (e.g., get a public IP range
    > routed down the existing single IP.)
    >
    > :but hey, thanks for answering your own question.
    >
    > My question, which is not yet answered, was why you said to
    > "be sure" not to double-NAT. "Be sure" implies "Don't do it,
    > it'll either break everything or will cause so much trouble as not
    > to be worth even thinking about."
    >
    > In cases where it's a tradeoff between potential [rectifiable]
    > configuration mistakes and costs or equipment or topology constraints
    > about getting public IPs through to the inner security device, and
    > the OP has already indicated that they know they are doing double
    > NAT, then I would expect comments more along the line of "I advise
    > against this for beginners", or "It is common to make subtle mistakes
    > one when NAT's twice, so if it is practical I recommend you rearrange
    > your network so that you are only NAT'ing once."
    > --
    > Ceci, ce n'est pas une idée.
     
    John Smith, Dec 2, 2004
    #9
  10. In article <>,
    John Smith <> wrote:
    :wow, you really like to hear yourself talk, dont you?

    I am fairly well known in this and several other newsgroups (and other
    media) for providing long-winded but comprehensive and understandable
    explanations of complex technical points; and I am known for quickly
    finding answers that others miss. I am also well known to vendors'
    support staff for detailing problems in the underlying logic model of
    their code.

    I do not have access to any NDA material or private documentation when
    I am undertaking these tasks: what I do have is a fair bit of
    experience in deducing how things work by looking not just at what is
    said, but also -how- it is said, and by what is -not- said.

    And that's why I'm questioning your choice of wording: you haven't
    withdrawn your original wording, and you haven't offered clarification
    of the problems you were warning about that one needed to "be sure" to
    avoid, so it we are left uncertain as to what message you were trying
    to convey.
    --
    Positrons can be described as electrons traveling backwards in time.
    Certainly many Usenet arguments about the past become clearer when they
    are re-interpreted as uncertainty about the future.
    -- Walter Roberson
     
    Walter Roberson, Dec 2, 2004
    #10
  11. Ants

    John Smith Guest

    go ahead and add anal retentive and megalomaniac to longwinded.

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:conqaq$a74$...
    > In article <>,
    > John Smith <> wrote:
    > :wow, you really like to hear yourself talk, dont you?
    >
    > I am fairly well known in this and several other newsgroups (and other
    > media) for providing long-winded but comprehensive and understandable
    > explanations of complex technical points; and I am known for quickly
    > finding answers that others miss. I am also well known to vendors'
    > support staff for detailing problems in the underlying logic model of
    > their code.
    >
    > I do not have access to any NDA material or private documentation when
    > I am undertaking these tasks: what I do have is a fair bit of
    > experience in deducing how things work by looking not just at what is
    > said, but also -how- it is said, and by what is -not- said.
    >
    > And that's why I'm questioning your choice of wording: you haven't
    > withdrawn your original wording, and you haven't offered clarification
    > of the problems you were warning about that one needed to "be sure" to
    > avoid, so it we are left uncertain as to what message you were trying
    > to convey.
    > --
    > Positrons can be described as electrons traveling backwards in time.
    > Certainly many Usenet arguments about the past become clearer when they
    > are re-interpreted as uncertainty about the future.
    > -- Walter Roberson
     
    John Smith, Dec 2, 2004
    #11
  12. In article <>,
    John Smith <> wrote:
    :go ahead and add anal retentive and megalomaniac to longwinded.

    John, I haven't insulted you: I've just asked you to clarify for us
    your thinking about a technical point you wrote.

    I learn quite a lot by reading the questions posted here, and reading
    other peoples' answers. All kinds of people here have encountered
    situations or read documents that I haven't and that I would never have
    thought about putting together the way they have. I'm asking you to
    share your perspective on double-NAT so that we can learn from your
    experiences.
    --
    And the wind keeps blowing the angel / Backwards into the future /
    And this wind, this wind / Is called / Progress.
    -- Laurie Anderson
     
    Walter Roberson, Dec 2, 2004
    #12
  13. Ants

    Rod Dorman Guest

    In article <>,
    John Smith <> wrote:
    >go ahead and add anal retentive and megalomaniac to longwinded.


    Now you've crossed over from odd sense of humor to just plain abusive.

    Anyone who has read this newsgroup for more than a couple of weeks
    will recognize Walter as one of the more helpful contributors
    participating in this newsgroup. I often read his postings even when
    the subject isn't something I'm particularly interested in and I
    usually learn something new.

    If you don't agree with something he said then refute it in a calm
    rational manor, if you don't like the way he says it then killfile him
    but stop these infantile attacks.

    --
    -- Rod --
    rodd(at)polylogics(dot)com
     
    Rod Dorman, Dec 3, 2004
    #13
  14. Ants

    dmcknigh Guest

    (Rod Dorman) wrote in message news:<coqgoh$f78$>...
    > In article <>,
    > John Smith <> wrote:
    > >go ahead and add anal retentive and megalomaniac to longwinded.

    >
    > Now you've crossed over from odd sense of humor to just plain abusive.
    >
    > Anyone who has read this newsgroup for more than a couple of weeks
    > will recognize Walter as one of the more helpful contributors
    > participating in this newsgroup. I often read his postings even when
    > the subject isn't something I'm particularly interested in and I
    > usually learn something new.
    >
    > If you don't agree with something he said then refute it in a calm
    > rational manor, if you don't like the way he says it then killfile him
    > but stop these infantile attacks.


    Walter -
    I, for one, appreciate the completeness of your responses and your
    willingness to answer anyone's questions. While I've worked with PIXes
    for around 5 years now, I still learn new things from reading your
    responses.
    If somebody has a problem with "verbosity", then let them ignore your
    posts (as the previous OP suggested). The flame response was
    unnecessary and IMO, undeserved.
    -dmcknigh-
     
    dmcknigh, Dec 6, 2004
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ants
    Replies:
    5
    Views:
    7,137
    Martin Bilgrav
    Oct 15, 2004
  2. Mr Ping

    timeout ssh int to ext

    Mr Ping, Oct 15, 2004, in forum: Cisco
    Replies:
    5
    Views:
    3,723
    Mr Ping
    Oct 18, 2004
  3. ants

    SSH into PIX outside IF

    ants, Feb 2, 2005, in forum: Cisco
    Replies:
    3
    Views:
    2,387
  4. Todd
    Replies:
    2
    Views:
    1,773
  5. Jack
    Replies:
    0
    Views:
    739
Loading...

Share This Page