• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 254
  • Last Modified:

1 linux box trying to reach another linux box across the internet, through PIX

ok here's me output from a PIX log file:

302013: Built inbound TCP connection 17021737 for outside:x.x.x.12/50876 (x.x.x.12/50876) to inside:x.x.x.7/22 (x.x.x.30/22)
302014: Teardown TCP connection 17022180 for outside:x.x.x.12/50882 to inside:x.x.x.7/22 duration 0:00:09 bytes 3183 TCP FINs
302014: Teardown TCP connection 17022310 for outside:x.x.x.12/50885 to inside:x.x.x.7/22 duration 0:00:03 bytes 3183 TCP FINs
302014: Teardown TCP connection 17022310 for outside:x.x.x.12/50885 to inside:x.x.x.7/22 duration 0:00:03 bytes 3183 TCP FINs

ok, in the PIX config:
access-list acl_outside permit ip host x.x.x.12 host x.x.x.30  
static (inside,outside) x.x.x.30 x.x.x.7 netmask 255.255.255.255 0 0
outbound  12 permit x.x.x.7 255.255.255.255 0 ip

I'm trying to allow an outside linux server to get to an inside linux server.....the inside can get to the outside....but the outside can't get in...and the above is what the log shows....
0
dlitty7
Asked:
dlitty7
  • 4
  • 2
1 Solution
 
dlitty7Author Commented:
this is the error received on the linux side trying to log in:


reverse mapping checking getaddrinfo for ima x-x-x-30.ima-art.org failed - POSSIBLE BREAKIN ATTEMPT!
The authenticity of host 'x.x.x.30 (x.x.x.30)' can't be established.
RSA key fingerprint is xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'x.x.x.30' (RSA) to the list of known hosts.
admin@x.x.x.30's password:

does this look like an issue between the linux boxes?
0
 
pjedmondCommented:
That message is to be expected!

The sshd does a number of checks to see whether the DNS matches the information provided by the hosts. Any inconsistancies are flagged up. Inconsistancies occur when you connect to a 'dyndns tracked' server, because every time you connect, the ip address will have changed, and the stored 'known host key' will not match the ip address. The second area, is where there is a problem is when you connect from an external client through a firewall to an internal host. The internal host will identify itself, and the clients DNS attempt to confirm it. The client will receive a DNS response from a DNS server *external* to the network, and it is unlikely to match, hence the error.

If the connecting client is *internal* to the network, then the DNS response will probably come from an internal network DNS server and match - and hence no error like the one above.

Either of these circumstances will produce the above result...and is to be expected. Provided the server host ip is static, you will only get this error once. If dynamic, then virtually every time you connect.

Provided you understand why this error is occurring, then it is not a problem.

HTH:)
0
 
dlitty7Author Commented:
ok, this is a start, but you'll have to give me more to go on regarding the Linux side, as I know Jack and Squat about Linux, and Jack just left town :)  As you can see, the PIX firewall is doing it's job....the outside IP is attaching the the external IP of the network, and then that external IP is matching the assigned internal IP......pls explain the DNS side a bit more, because the IP's are all static, how do I resolve the DNS problem?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
dlitty7Author Commented:
the answer was:  the Linux boxes did NOT have SSH enabled on them, once the Linux boxes allowed SSH it was fine.  thx for your help!
0
 
pjedmondCommented:
reverse mapping checking getaddrinfo for ima x-x-x-30.ima-art.org failed - POSSIBLE BREAKIN ATTEMPT!
The authenticity of host 'x.x.x.30 (x.x.x.30)' can't be established.
RSA key fingerprint is xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'x.x.x.30' (RSA) to the list of known hosts.
admin@x.x.x.30's password:

Requires the sshd to be running!.....otherwise you would not get presented with the RSA key, or indeed get asked for a password to log in to an ssh terminal.

If the sshd was not running, you'd either get a timeout, or the connection would be rejected.
0
 
dlitty7Author Commented:
ok, I'm confused, because according to the PIX log, from the original part of the question:
302013: Built inbound TCP connection 17021737 for outside:x.x.x.12/50876 (x.x.x.12/50876) to inside:x.x.x.7/22 (x.x.x.30/22)
302014: Teardown TCP connection 17022180 for outside:x.x.x.12/50882 to inside:x.x.x.7/22 duration 0:00:09 bytes 3183 TCP FINs
302014: Teardown TCP connection 17022310 for outside:x.x.x.12/50885 to inside:x.x.x.7/22 duration 0:00:03 bytes 3183 TCP FINs
302014: Teardown TCP connection 17022310 for outside:x.x.x.12/50885 to inside:x.x.x.7/22 duration 0:00:03 bytes 3183 TCP FINs

these are all indications of a timeout....so this jives with part of what you are saying.  What doesn't jive, is that the error shown on the Linux box only happens IF SSH was enabled......now, I didn't enable the SSH, I was just told that it wasn't, so I don't know if someone isn't telling me something.................but at least I've learned a little something about Linux.....WAIT A MINUTE!!!  I got it:

there were 2 Linux boxes at the outside site, and 2 linux boxes in the inside side...the dude just called me and said that he had the WRONG IP address in the PIX of 1 of those Linux boxes at the outside LAN, and I only had the error for 1 of those outside linux boxes, not both.   So that must have been it!!!  He said he put the correct IP in the PIX (he had given me the incorrect IP to begin with, but the other one was correct) and everything is fine.  So that would explain why the connection was attempted, but timed out....SSH was enabled, but on the wrong box!
thx for your help, I did learn a little bit about Linux!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now