External IP address of iSeries machine

We are trying to set up secure ftp with a trading partner and need to send them our external IP address.  How do I find it?  

Also, what needs to be done on our end?  The trading partner said that we will pick up an RSA Key when we connect.
Who is Participating?
Gary PattersonConnect With a Mentor VP Technology / Senior Consultant Commented:

Sorry, just noticed I had a typo in the system name in the Telnet command.  Try this:

TELNET RMTSYS('v4address.com)

The 10.10 address that tech services gave you is an internal IP address.  

I've set up a lot of these connections (both the AS/400 component and the firewall components at both ends).  Your trading partner almost certainly did one of two things:

1) Created a "permit" rule in their firewall that allows inbound SSH connections (protocol used by sFTP) that originate from your external IP address.  This could very well be the same address that you use when connecting to your company's VPN, but does not have to be.

This kind of connection isn't really what we'd refer to as a "tunnel", but I can see why someone not familiar with networking terminology might use that term.  It does allow traffic to get through the firewall.  If they don't have the correct external IP address set up in their firewall, you won't be able to access their server.  

This is the most common configuration.

2) Second option is that they worked with your network team to create a site-to-site VPN tunnel between the two networks.  In that case, they would usually need the external IP address to establish the tunnel, but then you would use a private address on their network to access their sFTP server.  

This is less common - and certainly less common when all you need to do is transfer files occasionally.

What are the first two octets of the IP address that you are using to try to access their sFTP server?

Maybe try rephrasing the question with your network team.  Try this:

"I'm working with our trading partner, ____________.  We need to send them some files via sFTP from our AS/400, which has an inside address of 10.10.x.x.  

They need to know our external address (our public source address) that requests will be coming in from.  That would be the NATted address of the AS/400, so that they can open up an exception in their firewall for us.

Can you tell me what external IP address is associated with 10.10.x.x in our firewall so that I can give them the correct address?"

If they can't figure that out, then ask them:

"In that case, can you just give me the entire range of possible external addresses?"

Then give the address range to your trading partner and they can open up the entire range.  After you connect, they should be able to look at their logs, see what address you came in from, and then just lock down to that one address if desired.

Other approaches:  Contact your internet service provider directly and ask for your public address range.

Or escalate the request to someone on your tech services team who will take the time to talk to you and figure out what it is you actually need.

You also need to be aware that in a lot of environments, your network or security team may have intentionally locked down external access to and from your AS/400 for security reasons.  This is pretty common.  If so, you'll need to work with your team as well to get rules or exceptions set up to allow the AS/400 to initiate SSH requests to the trading partner system, and to receive responses back from that system as well.

If you can find the right person, this is a five minute conversation.  It is a common setup, and should be very easy for any qualified network tech to help you with, once they understand the question.  

Be persistent, and keep explaining until they understand what it is you need.  Sometimes it is helpful to conference in the trading partner network technician so they can talk "network person to network person".

- Gary Patterson

Check out my EE profile: http://www.experts-exchange.com/M_4382324.html
Nick RhodeIT DirectorCommented:

Will give you our external address
When your client software makes an SFTP connection the server will send its public SSH key.  The client software will probably prompt you to accept or reject the key.  If you reject it then it will drop the connection.  If you accept it, it will save a copy of the key and the address of the server.  The next time the software connects it will not prompt as long as the server sends the same key.  This prevents someone else from setting up a fake version of the server.  If they use a different public key you will notice that you had to re-accept it, if try try to re-use the original public key they won't have the matching private key for decryption.
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Gary PattersonVP Technology / Senior Consultant Commented:
Since you probably don't have a browser installed on your AS/400 (and a text browser like Lynx is the only thing you could have, since there is no GUI...), you can try:

TELNET RMTSYS('4vaddress.com)

This connects to a Telnet auto-responder service maintained by the nice folks at Sixscape communications.  

Several possibilities on the IP address issue:

1) AS/400 is directly connected to the Internet without NAT.  In that case, you can just GO CFGTCP, and select option 1 - Work With Interfaces to see the IP addresses assigned to each interface.  This isn't a common configuration, and I don't encourage it from a security perspective.

2) If you only have one internet connection, and all of your systems including the AS/400 share a single external IP address, and connect through a NAT firewall, then you can just use a browser-based tool like "www.whatismyip.com" or ipchicken.com from any system on your network with a browser like an earlier poster suggested.

3) In a multiple-address location, if the TELNET trick doesn't work, you'll need to contact your network administrator.  Most likely there is a NAT relationship set up in your firewall that associates the AS/400 private address with one of your public addresses,and some rules blocking outbound Telnet.

4) Finally, it is also possible that the AS/400 is completely (and intentionally) isolated from the Internet, and the answer is "there is no external address for that system".

- Gary Patterson
Gary PattersonVP Technology / Senior Consultant Commented:
First, you have to have the right utilities installed to enable SSH and sFTP:

5733SC1 IBM Portable Utilities for i5/OS *BASE & Option 1
57XXSS1 Option 33 (Portable Application Solutions Environment)

Then, you have to configure public-key authentication on IBM i.  

Note that the RSA key you generate using ssh-keygen is associated with a specific user profile, and you must use that same profile to perform the sFTP transfers.  

You can use one profile and public key to communicate with multiple trading partners, or you can set up a different profile and key for each trading partner.


Finally, here is a very basic example of how to automate an sFTP script:


- Gary Patterson
- Gary Patterson
baiedwAuthor Commented:
The telnet test logs me off of the iSeries and brings up a login screen.

whatismyip displays the ip number of our vpn.

The trading partner we are trying to connect to said that they have created a tunnel for a specific ip number, which is the vpn number, and we should be able to connect with putty and accept a key.  Since the connection times out every time I was thinking that we told them the wrong IP number.  That is why I am trying to verify the number of our iSeries machine.  Our tech services gave be a number starting with 10.10. which I know is not correct.
To clarify with regard to the keys.  The server will definitely give you its SSH public key when your client connects and it is also possible that the server will want you to provide your own SSH public key for user authentication.  Some SFTP servers allow users to log in with username/password but others are configured to require the client (you) to provide your own public key as part of the user authentication process.
baiedwAuthor Commented:
They told us that we do not have to give them anything, that we just need to connect with the correct ip number and then we accept the key.
baiedwAuthor Commented:
Thanks for your help Gary, I learned a few things.  Unfortunately our network group says it  is too hard to set up secure ftp on the iSeries.  They said they will come a solution.  I hope it is one that works.  Thanks again.
Gary PattersonVP Technology / Senior Consultant Commented:

Lol.  Secure FTP takes about 10 minutes to set up on the iSeries.  Nothing complicated about it.  I've done it dozens of times.  

Maybe there are network restrictions in place that make it complicated or something like that, or maybe they just don't know how to do it and don't want to go to the effort to figure it out.  If they already have a good sFTP solution set up elsewhere, then that might bes the best approach anyhow.

Good luck.

- Gary
There is secure FTP , and there is sftp. Those are two very different things. Secure FTP is easy. But sftp can take some study and some effort when doing it the first time. Be sure the difference is known and understood. Regardless, both can be used on the AS/400 series of systems; and the requirements are effectively the same as on any other system.

Gary PattersonVP Technology / Senior Consultant Commented:
Tom brings up a good point. Maybe we should define some terms.

I'm operating under the assumption that you want to use "SSH File Transfer Protocol", also called "Secure File Transfer Protocol", or SFTP.  

I'm basing this in part on the information about using an RSA key, and "They told us that we do not have to give them anything, that we just need to connect with the correct ip number and then we accept the key."

This is all consistent with SFTP.

There are other "secure file transfer" implementations, such as FTP over SSL/TLS, and SCP, but my money on this one is on SFTP.  If it is running across TCP port 22, is is sFTP.


- Gary Patterson
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.