SRX

I've had a hard time getting remote SSH access to my SRX210.  Here is the configuration I have which should work right?

root# run show configuration system services
ssh {
    protocol-version v2;
}
xnm-clear-text;
web-management {
    http {
        interface vlan.0;
    }
}
dhcp {
    router {
        172.31.86.1;
    }
    pool 172.31.86.0/24 {
        address-range low 172.31.86.100 high 172.31.86.130;
    }
    propagate-settings ge-0/0/0.0;
}

I also have it running on my WAN interface (fe-0/0/7) and untrust zone:

root> show configuration security zones security-zone untrust
address-book {
    address addr_10_15_15_0_24 10.15.15.0/24;
}
screen untrust-screen;
host-inbound-traffic {
    system-services {
        all;
    }
}
interfaces {
    fe-0/0/7.0 {
        host-inbound-traffic {
            system-services {
                all;
            }
        }
    }
    st0.2;
}

What am I missing here?

Hello there,

---

@skullbox2 wrote:

 

What am I missing here?

---

Two things:

1/ You haven't shown us from where You are trying to SSH to this SRX210 and what destination address do You use

2/ How does the routing look like on Your SRX210

Also, if You are using any kind of scripted SSH login, the very 1st SSH login will stall if SRX210 public key is not stored on the SSH client. Try to SSH into SRX210 manually and explicitly accept the public key when asked.

HTH

Thanks

Alex

Thanks for the reply.  I'm just trying to SSH from outside.  The routing is two static routes, a default and tunnel:

root> show configuration routing-options       
static {
    route 0.0.0.0/0 next-hop 24.173.174.57;
    route 10.15.15.0/24 next-hop st0.2;
}

I have been testing SSH coming from 64.237.x.x.

I am trying th SSH to .58 the main IP of the firewall.  It's working fine internally (using 172.31.86.1), but I never get a login prompt externally.  I have some DNAT setup on the .58 IP as it's sharing that for an Exchange server.  Could that be the problem?

"I have some DNAT setup on the .58 IP as it's sharing that for an Exchange server.  Could that be the problem?"

It could be, is your DNAT port forwarding SSH (port 22) to the exchange server?

It is not.  Only the usual stuff like 443, 25, and RPC ports.  This isn't my first rodeo as I've used  the SRX before.  I looked into an SRX550 to get the config I have now but it's still not working.  Here is my NAT setup:

root> show configuration security nat
source {
    rule-set trust-to-untrust {
        from zone trust;
        to zone untrust;
        rule source-nat-rule {
            match {
                source-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }
}
destination {
    pool EX {
        address 172.31.86.33/32;
    }
    rule-set Ex {
        from zone untrust;
        rule SMTP {
            match {
                destination-address 24.173.174.x/32;
            }
            then {
                destination-nat pool EX;
            }
        }
    }
}

Maybe I'm missing something, but aren't you NATing all inbound traffic destined for the public IP of the SRX to your exchange server (presumably 172.31.86.33/32).  Your match statment in the dst nat is just matching a IP, no port info.

I think I see what you are saying, so I would need to specifiy the individual ports in my DNAT statement and then the rest of the config above would let SSH through to the actual firewall.  I'll try that see if it works.

That worked!  Thanks.  Once I added each port individually the SSH started working.  Now I can work on my firewall script to limit SSH access which is what I was trying to do before I realized SSH wasn't working at all 🙂

Cool, glad it worked, good luck on the script.