I need to temporarily allow SSH access over the Internet for management purposes, but, to save my life, I can’t seem it get it to work. Help appreciated—irrelevant portions of configuration removed for brevity.
## Last changed: 2016-12-07 19:54:24 MST
version 15.1X49-D45;
system {
...
services {
ssh {
rate-limit 3;
}
...
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
static {
rule-set VPN-NAT {
from zone Internet;
rule VPN {
match {
destination-address ...
}
then {
static-nat {
prefix {
...
}
}
}
}
}
}
}
policies {
from-zone Internal to-zone Internet {
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internet to-zone Internal {
policy VPN {
match {
source-address any;
destination-address VPN;
application junos-pptp;
}
then {
permit;
}
}
}
}
zones {
security-zone Internal {
host-inbound-traffic {
protocols {
all;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
dhcp;
http;
https;
ssh;
telnet;
}
}
}
ge-0/0/2.0;
}
}
security-zone Internet {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address ...
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address ...
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address ...
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop ...
}
}