SSH Server behind PIX 515

SSH Server behind PIX 515
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
SSH Server behind PIX 515 yanks2112 07-25-2008
Posted by yanks2112 on July 25, 2008, 9:50 am
If you were  Registered and logged in, you could reply and use other advanced thread options
PIX 514
V7.04

Hi,
We have an SSH server running on Linux that sites behind our PIX
firewall. Last week it stopped working, no changes to the PIX but a
hardware failure on the SSH server. The disks were moved to new
hardware and the server is up and running again. The problem we are
having is we can connect to the ssh server from behind the firewall,
but outside the firewall we get a "Connection Reset by Peer". The PIX
logs show this:

<166>Jul 24 2008 15:25:21: %PIX-6-302013: Built inbound TCP connection
36169350 for outside:192.168.100.100/39398 (208.120.61.139/39398) to
inside:10.10.10.10/22 (192.168.1.1/22)
<166>Jul 24 2008 15:25:21: %PIX-6-302014: Teardown TCP connection
36169350 for outside:192.168.100.100/39398 to inside:10.10.10.10/22
duration 0:00:00 bytes 25 TCP Reset-I

I captured packets from behind the firewall between the inside
interface and the ssh server and saw the three way handshake, then the
ssh server sending its version information and immdiately RST-ing the
packet.

No. Time Source Destination
Protocol Info
6445 19.599017 10.10.10.10 192.168.100.100
SSH Server Protocol: SSH-1.99-OpenSSH_3.7.1p2
No. Time Source Destination
Protocol Info
6446 19.601211 10.10.10.10 192.168.100.100
TCP 22 > 54783 [RST] Seq=26 Ack=4047764188 Win=0 Len=0

It appears that the ssh server is rst-ing the connection but I am not
sure why, The ssh admin thinks that this is a firewall issue. The
firewall admin (me) thinks that its an ssh (or server) issue since the
ssh server is rst-ing the packet.

Has anyone seen something like this just stop working? Is it the PIX
and I'm just missing something? Any help would be appreciated




Spring Sale Save 20% Banner - Sale Ended 5/3/07 So Updated to NonPromo Ad
Posted by Artie Lange on July 25, 2008, 10:17 am
If you were  Registered and logged in, you could reply and use other advanced thread options
yanks2112 wrote:
> PIX 514
> V7.04
>
> Hi,
> We have an SSH server running on Linux that sites behind our PIX
> firewall. Last week it stopped working, no changes to the PIX but a
> hardware failure on the SSH server. The disks were moved to new
> hardware and the server is up and running again. The problem we are
> having is we can connect to the ssh server from behind the firewall,
> but outside the firewall we get a "Connection Reset by Peer". The PIX
> logs show this:
>
> <166>Jul 24 2008 15:25:21: %PIX-6-302013: Built inbound TCP connection
> 36169350 for outside:192.168.100.100/39398 (208.120.61.139/39398) to
> inside:10.10.10.10/22 (192.168.1.1/22)
> <166>Jul 24 2008 15:25:21: %PIX-6-302014: Teardown TCP connection
> 36169350 for outside:192.168.100.100/39398 to inside:10.10.10.10/22
> duration 0:00:00 bytes 25 TCP Reset-I
>
> I captured packets from behind the firewall between the inside
> interface and the ssh server and saw the three way handshake, then the
> ssh server sending its version information and immdiately RST-ing the
> packet.
>
> No. Time Source Destination
> Protocol Info
> 6445 19.599017 10.10.10.10 192.168.100.100
> SSH Server Protocol: SSH-1.99-OpenSSH_3.7.1p2
> No. Time Source Destination
> Protocol Info
> 6446 19.601211 10.10.10.10 192.168.100.100
> TCP 22 > 54783 [RST] Seq=26 Ack=4047764188 Win=0 Len=0
>
> It appears that the ssh server is rst-ing the connection but I am not
> sure why, The ssh admin thinks that this is a firewall issue. The
> firewall admin (me) thinks that its an ssh (or server) issue since the
> ssh server is rst-ing the packet.
>
> Has anyone seen something like this just stop working? Is it the PIX
> and I'm just missing something? Any help would be appreciated
>
>
>

Does it work inside the firewall? Do you have any inspect rules for SSH
traffic? Not sure what OS you are running, but could you post some
inspect rules for your config?

Posted by yanks2112 on July 25, 2008, 10:55 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi Artie

Thanks for the quick reply.

Yes we can get to it from behind the firewall
We dont have any inspection rules for ssh (this works for other ssh
servers behind the firewall)
The OS is Suse linux (not sure what version, I'll chekc that out) the
PIX OS is 7.0(4)
The inspection rules fro the config:
inspect dns maximum-length 1024
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp

Thansk again

Posted by Artie Lange on July 25, 2008, 11:36 am
If you were  Registered and logged in, you could reply and use other advanced thread options
yanks2112 wrote:
> Hi Artie
>
> Thanks for the quick reply.
>
> Yes we can get to it from behind the firewall
> We dont have any inspection rules for ssh (this works for other ssh
> servers behind the firewall)
> The OS is Suse linux (not sure what version, I'll chekc that out) the

So you have other SSH servers that work behind the firewall? If so, I
would start by double checking to make sure that the NAT translation and
ACL's are constructed the same. If they are, I would suggest debugging
the errors from the SUSE box, tail -f /var/log/messages and you should
see some output of the error from there.

Posted by yanks2112 on July 25, 2008, 12:17 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> yanks2112 wrote:
> > Hi Artie
>
> > Thanks for the quick reply.
>
> > Yes we can get to it from behind the firewall
> > We dont have any inspection rules for ssh (this works for other ssh
> > servers behind the firewall)
> > The OS is Suse linux (not sure what version, I'll chekc that out) the
>
> So you have other SSH servers that work behind the firewall? If so, I
> would start by double checking to make sure that the NAT translation and
> ACL's are constructed the same. If they are, I would suggest debugging
> the errors from the SUSE box, tail -f /var/log/messages and you should
> see some output of the error from there.

Thanks. I checked the NAT and ACLs and they look ok. The ssh logs
show:

11:39:24 10.10.10.10. sshd[6904]: Did not receive identification
string from ::ffff:192.168.100.100

Thanks again for your help

Similar ThreadsPosted
Importing a certiticate server on CSS 11503 with SSL module from RSA KEON server April 21, 2006, 12:54 pm
URGENT! PIX 501, Timeout between outside server and inside server October 12, 2005, 7:38 am
Cisco DHCP server and Microsoft DNS server September 11, 2007, 4:02 am
WWW server in DMZ, SQL Server Inside...newbie help needed January 17, 2008, 8:11 pm
server to server communications behind CSS 11501 January 6, 2006, 2:10 pm
ASA5510 dmz mail server forwarding to lan mail server April 25, 2007, 1:07 pm
Setting up a router with 29 Global IPs, BUT can't ping router internal interface from server or server interface from router December 11, 2005, 10:37 am
837. Unable to see internal web server from internal server. March 5, 2006, 8:52 am
SSH server on PIX. June 23, 2005, 2:10 pm
pix 501 as vpn server September 30, 2005, 11:23 am

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map