dlitty7
asked on
1 linux box trying to reach another linux box across the internet, through PIX
ok here's me output from a PIX log file:
302013: Built inbound TCP connection 17021737 for outside:x.x.x.12/50876 (x.x.x.12/50876) to inside:x.x.x.7/22 (x.x.x.30/22)
302014: Teardown TCP connection 17022180 for outside:x.x.x.12/50882 to inside:x.x.x.7/22 duration 0:00:09 bytes 3183 TCP FINs
302014: Teardown TCP connection 17022310 for outside:x.x.x.12/50885 to inside:x.x.x.7/22 duration 0:00:03 bytes 3183 TCP FINs
302014: Teardown TCP connection 17022310 for outside:x.x.x.12/50885 to inside:x.x.x.7/22 duration 0:00:03 bytes 3183 TCP FINs
ok, in the PIX config:
access-list acl_outside permit ip host x.x.x.12 host x.x.x.30
static (inside,outside) x.x.x.30 x.x.x.7 netmask 255.255.255.255 0 0
outbound 12 permit x.x.x.7 255.255.255.255 0 ip
I'm trying to allow an outside linux server to get to an inside linux server.....the inside can get to the outside....but the outside can't get in...and the above is what the log shows....
302013: Built inbound TCP connection 17021737 for outside:x.x.x.12/50876 (x.x.x.12/50876) to inside:x.x.x.7/22 (x.x.x.30/22)
302014: Teardown TCP connection 17022180 for outside:x.x.x.12/50882 to inside:x.x.x.7/22 duration 0:00:09 bytes 3183 TCP FINs
302014: Teardown TCP connection 17022310 for outside:x.x.x.12/50885 to inside:x.x.x.7/22 duration 0:00:03 bytes 3183 TCP FINs
302014: Teardown TCP connection 17022310 for outside:x.x.x.12/50885 to inside:x.x.x.7/22 duration 0:00:03 bytes 3183 TCP FINs
ok, in the PIX config:
access-list acl_outside permit ip host x.x.x.12 host x.x.x.30
static (inside,outside) x.x.x.30 x.x.x.7 netmask 255.255.255.255 0 0
outbound 12 permit x.x.x.7 255.255.255.255 0 ip
I'm trying to allow an outside linux server to get to an inside linux server.....the inside can get to the outside....but the outside can't get in...and the above is what the log shows....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok, this is a start, but you'll have to give me more to go on regarding the Linux side, as I know Jack and Squat about Linux, and Jack just left town :) As you can see, the PIX firewall is doing it's job....the outside IP is attaching the the external IP of the network, and then that external IP is matching the assigned internal IP......pls explain the DNS side a bit more, because the IP's are all static, how do I resolve the DNS problem?
ASKER
the answer was: the Linux boxes did NOT have SSH enabled on them, once the Linux boxes allowed SSH it was fine. thx for your help!
reverse mapping checking getaddrinfo for ima x-x-x-30.ima-art.org failed - POSSIBLE BREAKIN ATTEMPT!
The authenticity of host 'x.x.x.30 (x.x.x.30)' can't be established.
RSA key fingerprint is xxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxx xxxxxxx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'x.x.x.30' (RSA) to the list of known hosts.
admin@x.x.x.30's password:
Requires the sshd to be running!.....otherwise you would not get presented with the RSA key, or indeed get asked for a password to log in to an ssh terminal.
If the sshd was not running, you'd either get a timeout, or the connection would be rejected.
The authenticity of host 'x.x.x.30 (x.x.x.30)' can't be established.
RSA key fingerprint is xxxxxxxxxxxxxxxxxxxxxxxxxx
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'x.x.x.30' (RSA) to the list of known hosts.
admin@x.x.x.30's password:
Requires the sshd to be running!.....otherwise you would not get presented with the RSA key, or indeed get asked for a password to log in to an ssh terminal.
If the sshd was not running, you'd either get a timeout, or the connection would be rejected.
ASKER
ok, I'm confused, because according to the PIX log, from the original part of the question:
302013: Built inbound TCP connection 17021737 for outside:x.x.x.12/50876 (x.x.x.12/50876) to inside:x.x.x.7/22 (x.x.x.30/22)
302014: Teardown TCP connection 17022180 for outside:x.x.x.12/50882 to inside:x.x.x.7/22 duration 0:00:09 bytes 3183 TCP FINs
302014: Teardown TCP connection 17022310 for outside:x.x.x.12/50885 to inside:x.x.x.7/22 duration 0:00:03 bytes 3183 TCP FINs
302014: Teardown TCP connection 17022310 for outside:x.x.x.12/50885 to inside:x.x.x.7/22 duration 0:00:03 bytes 3183 TCP FINs
these are all indications of a timeout....so this jives with part of what you are saying. What doesn't jive, is that the error shown on the Linux box only happens IF SSH was enabled......now, I didn't enable the SSH, I was just told that it wasn't, so I don't know if someone isn't telling me something................. but at least I've learned a little something about Linux.....WAIT A MINUTE!!! I got it:
there were 2 Linux boxes at the outside site, and 2 linux boxes in the inside side...the dude just called me and said that he had the WRONG IP address in the PIX of 1 of those Linux boxes at the outside LAN, and I only had the error for 1 of those outside linux boxes, not both. So that must have been it!!! He said he put the correct IP in the PIX (he had given me the incorrect IP to begin with, but the other one was correct) and everything is fine. So that would explain why the connection was attempted, but timed out....SSH was enabled, but on the wrong box!
thx for your help, I did learn a little bit about Linux!
302013: Built inbound TCP connection 17021737 for outside:x.x.x.12/50876 (x.x.x.12/50876) to inside:x.x.x.7/22 (x.x.x.30/22)
302014: Teardown TCP connection 17022180 for outside:x.x.x.12/50882 to inside:x.x.x.7/22 duration 0:00:09 bytes 3183 TCP FINs
302014: Teardown TCP connection 17022310 for outside:x.x.x.12/50885 to inside:x.x.x.7/22 duration 0:00:03 bytes 3183 TCP FINs
302014: Teardown TCP connection 17022310 for outside:x.x.x.12/50885 to inside:x.x.x.7/22 duration 0:00:03 bytes 3183 TCP FINs
these are all indications of a timeout....so this jives with part of what you are saying. What doesn't jive, is that the error shown on the Linux box only happens IF SSH was enabled......now, I didn't enable the SSH, I was just told that it wasn't, so I don't know if someone isn't telling me something.................
there were 2 Linux boxes at the outside site, and 2 linux boxes in the inside side...the dude just called me and said that he had the WRONG IP address in the PIX of 1 of those Linux boxes at the outside LAN, and I only had the error for 1 of those outside linux boxes, not both. So that must have been it!!! He said he put the correct IP in the PIX (he had given me the incorrect IP to begin with, but the other one was correct) and everything is fine. So that would explain why the connection was attempted, but timed out....SSH was enabled, but on the wrong box!
thx for your help, I did learn a little bit about Linux!
ASKER
reverse mapping checking getaddrinfo for ima x-x-x-30.ima-art.org failed - POSSIBLE BREAKIN ATTEMPT!
The authenticity of host 'x.x.x.30 (x.x.x.30)' can't be established.
RSA key fingerprint is xxxxxxxxxxxxxxxxxxxxxxxxxx
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'x.x.x.30' (RSA) to the list of known hosts.
admin@x.x.x.30's password:
does this look like an issue between the linux boxes?