Ssh – Cannot Traceroute/ssh outside network

networkingsshubuntu-12.04

My server cannot connect to ANYTHING EXTERNAL via ssh. I also cannot traceroute to any of them. Machines on the same network work fine via SSH and traceroute. This machine is connected to the internet as I can fetch and install packages just fine. I can also SSH to this machine. It's just outgoing SSH/traceroute that isn't working for some reason.

SSH:

Connection refused
administrator@nrj-linux-staging:~$ ssh administrator@testing2.xxxxxxxxxxxxxx.com

Traceroute:

traceroute to testing2.xxxxxxxxxxxxxxxxxxx.com (xxx.xxx.xxx.xxx), 30 hops max, 60 byte packets
1  * * *
2  * * *
3  * * *
4  * * *
5  * * *
6  * * *
7  * * *
8  * * *
9  * * *
10  * * *
11  * *

traceroute to www.google.com (74.125.227.50), 30 hops max, 60 byte packets
1  * * *
2  * * *
3  * * *
4  * * *
5  * * *
6  * * *
7  * * *
8  * * *
9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *

Netstat:

administrator@nrj-linux-staging:~$ netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 localhost:mysql         *:*                     LISTEN     
tcp        0      0 localhost:6379          *:*                     LISTEN     
tcp        0      0 10.0.0.42:http-alt      *:*                     LISTEN     
tcp        0      0 *:ftp                   *:*                     LISTEN     
tcp        0      0 *:ssh                   *:*                     LISTEN     
tcp        0      0 *:5984                  *:*                     LISTEN     



tcp6       0      0 [::]:47439              [::]:*                  LISTEN     
tcp6       0      0 [::]:tproxy             [::]:*                  LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
tcp6       0      0 [::]:51774              [::]:*                  LISTEN     
udp6       0      0 [::]:33848              [::]:*                             
udp6       0      0 [::]:mdns               [::]:*                             
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     6938     @/com/ubuntu/upstart
unix  2      [ ACC ]     SEQPACKET  LISTENING     7517     /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     7527     /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     7850     /var/run/mysqld/mysqld.sock
unix  2      [ ACC ]     STREAM     LISTENING     10483    /var/run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     7889     /home/gitlab/gitlab//tmp/sockets/gitlab.socket

Routing Table:

administrator@nrj-linux-staging:~$ route -n   
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.225      0.0.0.0         UG    100    0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0

I can ping the gateway:

administrator@nrj-linux-staging:~$ ping 10.0.0.225
PING 10.0.0.225 (10.0.0.225) 56(84) bytes of data.
64 bytes from 10.0.0.225: icmp_req=1 ttl=255 time=0.354 ms
64 bytes from 10.0.0.225: icmp_req=2 ttl=255 time=0.310 ms
64 bytes from 10.0.0.225: icmp_req=3 ttl=255 time=0.314 ms
64 bytes from 10.0.0.225: icmp_req=4 ttl=255 time=0.325 ms
64 bytes from 10.0.0.225: icmp_req=5 ttl=255 time=0.431 ms

This box has an identical interface configuration. It is also worth noting that other boxes on this same network apparently have an identical problem.

The DNS is pointed to the gateway.

The firewall on this network is set up to allow secure shell outgoing, ip outgoing, etc. I am not sure what else is required to get this working. I can provide you with whatever else you guys need. I am using a cisco firewall with the ADSM utility via a windows box. Thanks for the help

Here is how NAT is configured RIGHT NOW:

We have two sites, we will call them site a and site b.

Site b is in the building that our developers work. Site A is production, and contains the firewall. The root domain name of our product points to the static global IP of Server 'A'. On the firewall, when traffic on the ssh service is detected as incoming to the address of Server 'A', it translates it to keep the original source and set the destination to server 'B' which is the linux box that I need to be able to secure shell out of back to site 'B'. There is also a NAT rule that translates outgoing packets with a source of server 'b' to have a source of server 'a' and keep the original destination.

Thanks again for the help

Best Answer

If all of the subnet can't go out, it is probably a firewall issue. Since you're using ASDM, you have an ASA firewall. Check the access list on the interface with 10.0.0.225 (assuming that is your ASA) and make sure you have ICMP and SSH allowed. Remember: ASA rules are automatically reflexive, meaning that any rule only needs to be set in the direction it is started (in your case from 10.0.0.0/24 to any, protocol ssh and ICMP). If you want to check whether or not the ASA should forward the packet, you can use packet tracer under tools in your ASDM. Two tips:

Make sure to select the correct starting interface (I always forget)
Make sure to uncheck Show Animation, since all it does is show an animation and make you wait longer.

Related Solutions

SSH access from outside to a pc inside network

If you have a generic setup for SSHD, it's just a matter of telling your Linksys router to forward TCP port 22 to the IP you want access to internally, then from the outside ssh to the static IP, and you'll want to have the machine internally running ssh to have a static IP assigned, not a dynamic (DHCP) address.

Personally, I would change the port to another port not used on your machine, as a nonstandard port makes it more difficult for bots to scan you (And it will happen). But that's up to you. If you use the standard port, you need to be more careful with passwords and usernames, and don't allow root to log in to that port, and you may want to consider installing Denyhosts to block ip's that give an incorrect password 3 times automatically.

Make sure your VM (I assume that's where you are running sshd?) is assigned it's own IP and is using bridged networking so it's not natted twice. That's asking for a world of hurt (nat behind the router, then natted again behind the Leopard machine's VM software). Bridged networking makes the machine appear as if it were another physical machine in your network from the logical view.

You don't necessarily need to set up ssh on the server to a nonstandard port...you could set up a nonstandard port on the router to forward to the internal machine's port 22, if your router supports non-one-to-one mapping (i.e., forward external port 26 to internal port 22 on 192.168.xxx.xxx...), so that only machines outside your network need to use the nonstandard port assignment. But my personal preference is to alter the SSH port on the inside just to tick off bot-scanners.

To sum up...tell your linksys to forward port 22 (or what you choose to use) to your VM's IP. I recommend using a different port, though. Make sure your internal VM machine is using a static, not DHCP, ip address on your internal network, so reboots don't break the forwarding map. Then it's a matter of ssh'ing to your external static IP from an external system to test it. I also recommend using denyhosts if you stick with default port 22 to ban probes. Make sure your VM instance is running bridged, not NAT, networking on the host computer.

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Best Answer

Related Solutions

SSH access from outside to a pc inside network

Ssh – How to automate SSH login with password

Related Topic