Ssh from external source to dmz address is not connecting
-
I have tried to set up ssh access to a server for tech support but cannot get the port forward set correctly to hit the server in the dmz
I have wan, lan, dmz
my email server is on the dmz
I set up a nat port forward and a rule which I want to restrict ssh access to the email server from a specific IP address.
this is how I set it upNAT
If Proto Ext. port range NAT IP Int. port range
WAN TCP 5678 192.168.8.10 22 (SSH)
(ext.:mystaticip)
RULE
Proto Source Port Destination Port Gateway
TCP xxx.xxx.xxx.xxx 5678 192.168.8.10 22 (SSH) *When the techie tries to log in from xxx he says it will not connect
Should I change the RULE so that the Destination is DMZ address or DMZ subnet? If so how would the techie actually get to the specific address of the server
I can ssh to machines on my lan and then ssh to the server on the dmz but I would prefer to have tech support people able to ssh directly to the machine I need help on.
any suggestions are appreciated
Thank you
walter" most problems with a computer can be traced to the loose nut between the chair and the keyboard"
-
Why are you specifying a source port on the firewall rule? Remove that and it should work.
-
The thought was to use a non standard port to come in on to add a layer to the security of my network
I use a non standard port to access my accounting information and my company documents on the lan and was trying to do the
same with accessing the email server.We will give your suggestion a try and see if that is where the problem is
thank you
wsams :)
" most problems with a computer can be traced to the loose nut between the chair and the keyboard"
-
The source port on the firewall rule isn't the same as the external port on the NAT rule.
The NAT rule reads (in plain language)
Port forward from anyone on any port to the WAN IP on port 5678 into 192.168.8.10 on port 22.
The the firewall rule reads:
Allow from anyone with a source port of 5678 to reach 192.168.8.10 on port 22.
The "external port" on the NAT rule is not the same as the source port on a firewall rule. NAT happens before firewall rules are processed, so the external port is never seen or used in firewall rules. So you can leave the NAT rule alone and just edit the firewall rule, and it will be working on your non-standard port.
-
jimp
thank you for the instruction, you correctly interpreted my mis-understanding of how the firewall works,
I will implement your suggestion and post results
wsams
" most problems with a computer can be traced to the loose nut between the chair and the keyboard"