ssh tunnel oddity

[Mark]

Hey all,
I’m trying to setup an ssh tunnel to securely encapsulate afp and filemaker services, something I’ve done many times before with no hint of the problems seen here.

First I went for broke, setting up the actiontec dsl modem/router to forward to the sonicwall and then to the local machine running ssh. (side note, they’re running dual nat so they can have an unprotected wireless network for clients yet no access to the wired/secured services.) IP-wise it looks like this:
[public IP] -> actiontec lan 10.0.0.1 -> sonicwall wan 10.0.0.2 -> sonicwall lan 192.168.0.1 -> afp/fmpro server 192.168.0.2.

I’m going to remove fmpro from the equation to make things simpler. Here is the command I’m using:
ssh -l admin -L 1025:192.168.0.2:548 theirhostname.dyndns.org

First attempt – logged in no problem, the ports show as open when I do a port scan on localhost. I get the normal connection dialog box that says:
Connecting to localhost:1025

Soon after another one comes up for about 10 seconds:
Looking up “localhost:1015.”
(I also tried 127.0.0.1:1015)

After a couple minutes I get an alert:
“Connection failed
The server may not exist or it is not operational at this time. Check the server name or IP address and try again.”

FYI I tested the connection using my verizon (wireless data/net access) card in my laptop so I would be truly outside their network. After double checking the basics, I started to isolate the sonicwall. Put my laptop between the actiontec and the sonicwall (at 10.0.0.5) and tried to connect, same thing. Then I setup another computer with afp services and ssh, redid sonicwall port mapping, same problem. I should mention I was successful in connecting to both servers while on their subnet, with no ssh tunnel.

Next I tried isolating the actiontec by putting just one machine behind it (at 10.0.0.2, temporarily replacing the sonicwall) – exact same symptom. No matter which network I’m on (behind either the sonicwall, the actiontec, or using verizon) I can connect to my home network using the exact same command only with my home ip info instead.

So at this point I’m really curious to find out where things went wrong. It’s gotta be some numbskull thing, but today I can honestly say it got the better of me. As far as I can tell I’ve eliminated the actiontec, sonicwall, the command itself (source), and the destination machine from being problems…. which means it should be working!! Logically I can only think BOTH the actiontec and the sonicwall have issues with ssh tunnels, but that can’t be right because ssh tunnels are so basic to setup on a routing level (tcp port 22, that’s it).

Thoughts?

Thanks!

[Mark]

[QUOTE BY= macshome]Assuming that works then try your AFP tunnel. If the SSH endpoint is also the AFP server then do your portmaping to 127.0.0.1. E.g. “ssh -l admin -L 1025:127.0.0.1:548 theirhostname.dyndns.org”.[/QUOTE]
THANK YOU!!! This fixed it.

[QUOTE BY= macshome]As far as the double NAT for un-restricted wireless. Why not put the access point outside the firewall/in the DMZ for guests and have employees VPN in, or have a hidden access point inside that’s WPA protected for them?[/QUOTE]
The dsl modem/router is also the wireless ap, so it is in fact outside the firewall (the sonicwall). If I could make the dsl modem not a router and put it in bridging mode I would – then I could put it in the sonicwall’s dmz and be a happy camper. I’m somewhat against having a wireless network directly attached (no nat or anything) to a network, even if it’s ssid is hidden and it’s WPA encrypted… mostly because I like to be overly paranoid about wireless security.

I still set things like that up occasionally, but I make sure folks fully understand what they’re getting into! In this particular (small) office, it’s easy enough to just plug into ethernet if they want access to secure services. Plus they’re lawyers so they don’t mind going the extra mile for security.

Thanks again for your time and help.

[Author]

Posts