Ssh from external source to dmz address is not connecting

samsco

I have tried to set up ssh access to a server for tech support but cannot get the port forward set correctly to hit the server in the dmz

I have  wan, lan, dmz

my email server is on the dmz

I set up a nat  port forward and a rule  which I want to restrict ssh access to the email server from a specific IP address. 
this is how I set it up

NAT 
If          Proto      Ext. port range    NAT IP                                              Int. port range
WAN    TCP              5678           192.168.8.10                                          22 (SSH)
                                                        (ext.:mystaticip)
RULE
Proto Source                      Port            Destination                  Port                  Gateway
TCP  xxx.xxx.xxx.xxx      5678              192.168.8.10            22 (SSH)                *

When the techie tries to log in from xxx  he says it will not connect

Should I change the RULE  so that the Destination is DMZ address or DMZ subnet?  If so how would the techie actually get to the specific address of the server

I can ssh to machines on my lan and then ssh to the server on the dmz  but I would prefer to have tech support people able to ssh directly to the machine I need help on.

any suggestions are appreciated

Thank you
walter

" most problems with a computer can be traced to the loose nut between the chair and the keyboard"

jimp

Why are you specifying a source port on the firewall rule? Remove that and it should work.

samsco

The thought was to use a non standard port to come in on to add a layer to the security of my network

I use a non standard port to access my accounting information and my company documents on the lan and was trying to do the
same with accessing the email server.

We will give your suggestion a try and see if that is where the problem is

thank you

wsams  :)

" most problems with a computer can be traced to the loose nut between the chair and the keyboard"

jimp

The source port on the firewall rule isn't the same as the external port on the NAT rule.

The NAT rule reads (in plain language)

Port forward from anyone on any port to the WAN IP on port 5678 into 192.168.8.10 on port 22.

The the firewall rule reads:

Allow from anyone with a source port of 5678 to reach 192.168.8.10 on port 22.

The "external port" on the NAT rule is not the same as the source port on a firewall rule. NAT happens before firewall rules are processed, so the external port is never seen or used in firewall rules. So you can leave the NAT rule alone and just edit the firewall rule, and it will be working on your non-standard port.

samsco

jimp

thank you for the instruction,  you correctly interpreted my mis-understanding of how the firewall works,

I will implement your suggestion and post results

wsams

" most problems with a computer can be traced to the loose nut between the chair and the keyboard"