SSH into outside int

Discussion in 'Cisco' started by Ants, Dec 1, 2004.

  1. Ants

    Ants Guest

    hi,
    have a cisco router internet facing and a pix behind it on the lan...
    i am having difficulties ssh into the pix (from externa office site
    via www) outside int which has a private ip.

    www-----*rtr**------**pix***----lan

    * external facing ip
    ** both private 10.10.10.x addresses
    *** priv 192.168.x.x

    ive created rsa key etc.. no luck.
    added ssh 0.0.0.0 0.0.0.0 outside

    do i need to nat my ext remote office's ip to the inside of my RTR?
    thanks
     
    Ants, Dec 1, 2004
    #1
    1. Advertisements

  2. :i am having difficulties ssh into the pix (from externa office site
    :via www) outside int which has a private ip.

    :www-----*rtr**------**pix***----lan

    :* external facing ip
    :** both private 10.10.10.x addresses

    :ive created rsa key etc.. no luck.
    :added ssh 0.0.0.0 0.0.0.0 outside

    :do i need to nat my ext remote office's ip to the inside of my RTR?

    You need to ip nat static tcp port 22 (ssh) of your external IP
    into tcp port 22 of the private outside IP of the PIX.
     
    Walter Roberson, Dec 1, 2004
    #2
    1. Advertisements

  3. Ants

    John Smith Guest

    are you double NAT'ing? both at the router and pix?
    this is a bit off topic, but make sure you aren't double NATing.
     
    John Smith, Dec 2, 2004
    #3
  4. :are you double NAT'ing? both at the router and pix?
    :this is a bit off topic, but make sure you aren't double NATing.

    What reasons would you give for denying double NATing? Sure in
    some cases it is unnecessary work, but if both NATing devices are
    able to handle the appropriate state inspections, then what problems
    do you foresee?

    Consider, for example, that I have a LAN on which I am using private
    IPs: partly so that I don't need to pay thousands of dollars for an
    extra /24; partly because there are some security benefits; and
    partly because internally I can use a private /16 and in so doing
    not have to *route* between local machines that happen to live
    in different public /24's.

    Now consider that I have finance people within my LAN, and the financial
    documents are more sensitive than our regular documents. The
    finance people need a firewall of their own, security in depth. Now,
    what IP address range do I use on the inside of the interior firewall?
    When answering, keep in mind that the PIX firewall cannot be operated
    as a "filter": the inside interface IP range *must* be different than
    the outside interface IP range on a PIX.
     
    Walter Roberson, Dec 2, 2004
    #4
  5. Ants

    John Smith Guest

    as a general rule then, would you recommend double nat'ing, or avoiding it
    if not absolutely necessary?
    double nat'ing is not only difficult to set up correctly depending on the
    scenario but also adds unnecessary latency into the setup.
     
    John Smith, Dec 2, 2004
    #5
  6. :as a general rule then, would you recommend double nat'ing, or avoiding it
    :if not absolutely necessary?
    :double nat'ing is not only difficult to set up correctly depending on the
    :scenario but also adds unnecessary latency into the setup.

    There are lots of different configuration items that can add
    "unnecessary latency", but people still use them anyhow. For example
    on some of the Cisco architectures (perhaps now all defunct),
    access-lists applied "out" on an interface were much more efficient
    than access-lists applied "in" on the same interface.

    People often turn on (or leave enabled) features that require process
    switching for at least some of the packets. Unnecessary latency is
    rampant in the business... and it sometimes takes rather a lot
    of digging and experimentation to figure out what latencies one
    can remove while still implimenting the necessary functionality.

    I've probably lost track of which thread is which again, but I
    seem to recall that the PIX the OP has is a 501 or perhaps 515,
    which aren't exactly paragons of low latency and high throughput.

    As is the case for many topologies, double-NAT'ing is a tradeoff
    that needs to be evaluated case-by-case against the architecture,
    security requirements, and budget of the organization. You wouldn't
    go and deliberately impliment it just to prove how clever you are,
    but it might make the most sense in a lot of smaller offices.


    A real-life example that has cropped up here more than once is
    that if one has an exiting 501 protecting one's main network
    an one has a small subgroup that needs extra protections,
    then it can make financial sense to impliment the inner
    protections with a second 501 instead of upgrading to
    a 506E with 6.3(4) and using the new logical interface feature
    on it [which requires the cooperation of 802.1Q compliant switches),
    or of upgrading to a 515E or higher in order to be able use an
    additional hardware interface.
     
    Walter Roberson, Dec 2, 2004
    #6
  7. Ants

    John Smith Guest

    lets not forget that some apps are not even compatible with NAT let alone
    double NAT...
    but hey, thanks for answering your own question.
     
    John Smith, Dec 2, 2004
    #7
  8. :lets not forget that some apps are not even compatible with NAT let alone
    :double NAT...

    But then your comment about being sure not to double-NAT would be
    irrelevant: if they have applications that won't survive single NAT
    then the OP would need to re-topology (e.g., get a public IP range
    routed down the existing single IP.)

    :but hey, thanks for answering your own question.

    My question, which is not yet answered, was why you said to
    "be sure" not to double-NAT. "Be sure" implies "Don't do it,
    it'll either break everything or will cause so much trouble as not
    to be worth even thinking about."

    In cases where it's a tradeoff between potential [rectifiable]
    configuration mistakes and costs or equipment or topology constraints
    about getting public IPs through to the inner security device, and
    the OP has already indicated that they know they are doing double
    NAT, then I would expect comments more along the line of "I advise
    against this for beginners", or "It is common to make subtle mistakes
    one when NAT's twice, so if it is practical I recommend you rearrange
    your network so that you are only NAT'ing once."
     
    Walter Roberson, Dec 2, 2004
    #8
  9. Ants

    John Smith Guest

    wow, you really like to hear yourself talk, dont you?
     
    John Smith, Dec 2, 2004
    #9
  10. :wow, you really like to hear yourself talk, dont you?

    I am fairly well known in this and several other newsgroups (and other
    media) for providing long-winded but comprehensive and understandable
    explanations of complex technical points; and I am known for quickly
    finding answers that others miss. I am also well known to vendors'
    support staff for detailing problems in the underlying logic model of
    their code.

    I do not have access to any NDA material or private documentation when
    I am undertaking these tasks: what I do have is a fair bit of
    experience in deducing how things work by looking not just at what is
    said, but also -how- it is said, and by what is -not- said.

    And that's why I'm questioning your choice of wording: you haven't
    withdrawn your original wording, and you haven't offered clarification
    of the problems you were warning about that one needed to "be sure" to
    avoid, so it we are left uncertain as to what message you were trying
    to convey.
     
    Walter Roberson, Dec 2, 2004
    #10
  11. Ants

    John Smith Guest

    go ahead and add anal retentive and megalomaniac to longwinded.
     
    John Smith, Dec 2, 2004
    #11
  12. :go ahead and add anal retentive and megalomaniac to longwinded.

    John, I haven't insulted you: I've just asked you to clarify for us
    your thinking about a technical point you wrote.

    I learn quite a lot by reading the questions posted here, and reading
    other peoples' answers. All kinds of people here have encountered
    situations or read documents that I haven't and that I would never have
    thought about putting together the way they have. I'm asking you to
    share your perspective on double-NAT so that we can learn from your
    experiences.
     
    Walter Roberson, Dec 2, 2004
    #12
  13. Ants

    Rod Dorman Guest

    Now you've crossed over from odd sense of humor to just plain abusive.

    Anyone who has read this newsgroup for more than a couple of weeks
    will recognize Walter as one of the more helpful contributors
    participating in this newsgroup. I often read his postings even when
    the subject isn't something I'm particularly interested in and I
    usually learn something new.

    If you don't agree with something he said then refute it in a calm
    rational manor, if you don't like the way he says it then killfile him
    but stop these infantile attacks.
     
    Rod Dorman, Dec 3, 2004
    #13
  14. Ants

    dmcknigh Guest

    Walter -
    I, for one, appreciate the completeness of your responses and your
    willingness to answer anyone's questions. While I've worked with PIXes
    for around 5 years now, I still learn new things from reading your
    responses.
    If somebody has a problem with "verbosity", then let them ignore your
    posts (as the previous OP suggested). The flame response was
    unnecessary and IMO, undeserved.
    -dmcknigh-
     
    dmcknigh, Dec 6, 2004
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.