Temporary SSH Access to Juniper Via Egress/ge-0/0/0 Interface

last person joined: 7 days ago

Ask questions and share experiences about Junos OS.

Back to discussions

Expand all | Collapse all

Temporary SSH Access to Juniper Via Egress/ge-0/0/0 Interface

Jump to Best Answer

1. Temporary SSH Access to Juniper Via Egress/ge-0/0/0 Interface

Recommend

Erdem

Posted 12-07-2016 14:27

I need to temporarily allow SSH access over the Internet for management purposes, but, to save my life, I can’t seem it get it to work. Help appreciated—irrelevant portions of configuration removed for brevity.

## Last changed: 2016-12-07 19:54:24 MST
version 15.1X49-D45;
system {
...
    services {
        ssh {
            rate-limit 3;
        }
...
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set nsw_srcnat {
                from zone Internal;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        static {
            rule-set VPN-NAT {
                from zone Internet;
                rule VPN {
                    match {
                        destination-address ...
                    }
                    then {
                        static-nat {
                            prefix {
                                ...
                            }
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone Internal to-zone Internet {
            policy All_Internal_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internet to-zone Internal {
            policy VPN {
                match {
                    source-address any;
                    destination-address VPN;
                    application junos-pptp;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Internal {
            host-inbound-traffic {
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            dhcp;
                            http;
                            https;
                            ssh;
                            telnet;
                        }
                    }
                }
                ge-0/0/2.0;
            }
        }
        security-zone Internet {
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            ssh;
                        }
                    }
                }
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address ...
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address ...
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address ...
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop ...
    }
}

2. RE: Temporary SSH Access to Juniper Via Egress/ge-0/0/0 Interface

0 Recommend
lyndidon
Posted 12-07-2016 16:05

Reply Reply Privately
Create another security policy to allow it. If you have configured junos-host then you must also enable ssh there too.
from-zone Internet to-zone Internal {
policy allow-ssh {
match {
source-address any; <====== if you have a fixed IP you can create an address-book entry for it and replace any with that entry
destination-address any;
application junos-ssh;
}
then {
permit;
3. RE: Temporary SSH Access to Juniper Via Egress/ge-0/0/0 Interface
Best Answer

0 Recommend
Erdem
Posted 12-08-2016 12:09

Reply Reply Privately
I reviewed this further and the problem was related to the static nat—which forced all traffic to the nat destination and prevented the egress interface from seeing the traffic. Once I replaced the static nat with destination that limited the natting to the port used by the VPN, the egress interface properly received the ssh packets.

Cheers.

Junos OS

Temporary SSH Access to Juniper Via Egress/ge-0/0/0 Interface

Erdem12-07-2016 14:27

lyndidon12-07-2016 16:05

Erdem12-08-2016 12:09Best Answer

1. Temporary SSH Access to Juniper Via Egress/ge-0/0/0 Interface

2. RE: Temporary SSH Access to Juniper Via Egress/ge-0/0/0 Interface

3. RE: Temporary SSH Access to Juniper Via Egress/ge-0/0/0 Interface Best Answer

3. RE: Temporary SSH Access to Juniper Via Egress/ge-0/0/0 Interface
Best Answer