How to setup a policy to SSH through Firebox T35 to server on internal LAN

WatchGuard Firebox T35 with ver 12.5.2
Static IP WAN
Internal LAN - 192.n.n.n - 2 Servers

SNAT Server-2 192.n.n.n Port 22
Policy Custom: From Static IP Port nnn22 (For security)

Setup using info from: https://www.youtube.com/watch?v=12fHDwAA_Fg

I can SSH into Server on LAN without any problems.

Using the setup as per the above link, but changing IP & Ports as required, connection times out without any messages.

Need to be able to do this as a remote Synology NAS needs to access one of the servers for nightly backup.

Answers

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @ButchH

    First, I'd suggest upgrading the firmware on your firewall to at least 12.5.9 update 2. This is due to the cyclops blink malware that the version you are running may be susceptible to.

    You can find the firmware here:
    https://software.watchguard.com/SoftwareDownloads?familyId=a2R2A000002amFiUAI

    You can read more about it at detection.watchguard.com
    You can upgrade to 12.5.9 Update 2 even if your support contract is no longer in effect.

    With that out of the way, the firewall will only show a log message for a compete TCP connection -- so if the upstream device is ignoring the connection, you won't see an allow log.

    You can use the TCPDUMP tool to see if the firewall is sending traffic and it's not being responded to.

    -Open WatchGuard System Manager (WSM) and log in to your firewall.
    -Launch Firebox System Manager (FSM) from WSM.
    -In FSM, go to Tools -> Diagnostic Tasks.
    -In the network tab, choose TCP DUMP from the drop down menu.
    -Ignore the interface drop down, and click the advanced options checkbox.
    -In the arguments box, type the following string without the quotes:
    "-i eth1 host 1.2.3.4 and port 22"
    replace "eth1" with the interface the synology device is on if it's not eth1.
    replace 1.2.3.4 with the IP of the host you're initiating the connection from.

    Click start task.

    If the firewall is sending the traffic to the synology device but is not getting a response, you'll see the SYN packet go out, but nothing reply.

    Another issue may be that the firewall is ARPing for the synology device and it is not responding. You can use the argument "-i eth1 arp" to see arp traffic. If you see the firewall asking "who is " and is not getting a response, check the network settings on the synology device -- to ensure that the netmask and gateway are correct.

    If that fails, I'd suggest opening a support case so that one of our reps can assist you.

    -James Carson
    WatchGuard Customer Support

  • You can set up NAT loopback to test this access from an internal device, using the external IP addr. This will verify if your policy is correct or if the problem is someplace else, such as the default gateway on the NAS, etc

    Just add Any-trusted to the From: field of this policy and then access the public IP addr using a SSH tool, from a device behind the firewall using port defined on the custom policy.

    NAT Loopback and Static NAT (SNAT)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/nat/nat_loopback_static_c.html

  • Bruce: Did the Internal device through public IP & Port combo. Did not work, so I guess the Policy is the problem.

    James: Will be going in remote today to try your suggestions. Will report progress.

    Thanks to you both for your help.

  • Did you see an allow message for this test in Traffic Monitor?

    FYI - there is no security exposure to you to post private IP addrs/subnets on the boards.

  • Saved Configuration and Backup before Upgrading to v12.5.11.
    Upgrade successful after reboot.

    Did no changes to SNAT or Policies.

    Tried putty from a system external to the Firebox using the configured port and It Worked!

    Apparently, using putty on internal LAN going to the WAN static IP does not work. I am sure that there is a setting for that, but since the NAS will be external it does not really matter.

    Jason & Bruce, Thanks for your help.

Sign In to comment.