My server cannot connect to ANYTHING EXTERNAL via ssh. I also cannot traceroute to any of them. Machines on the same network work fine via SSH and traceroute. This machine is connected to the internet as I can fetch and install packages just fine. I can also SSH to this machine. It's just outgoing SSH/traceroute that isn't working for some reason.
SSH:
Connection refused
administrator@nrj-linux-staging:~$ ssh administrator@testing2.xxxxxxxxxxxxxx.com
Traceroute:
traceroute to testing2.xxxxxxxxxxxxxxxxxxx.com (xxx.xxx.xxx.xxx), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * *
traceroute to www.google.com (74.125.227.50), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
Netstat:
administrator@nrj-linux-staging:~$ netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:mysql *:* LISTEN
tcp 0 0 localhost:6379 *:* LISTEN
tcp 0 0 10.0.0.42:http-alt *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:5984 *:* LISTEN
tcp6 0 0 [::]:47439 [::]:* LISTEN
tcp6 0 0 [::]:tproxy [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 [::]:51774 [::]:* LISTEN
udp6 0 0 [::]:33848 [::]:*
udp6 0 0 [::]:mdns [::]:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 6938 @/com/ubuntu/upstart
unix 2 [ ACC ] SEQPACKET LISTENING 7517 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 7527 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 7850 /var/run/mysqld/mysqld.sock
unix 2 [ ACC ] STREAM LISTENING 10483 /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 7889 /home/gitlab/gitlab//tmp/sockets/gitlab.socket
Routing Table:
administrator@nrj-linux-staging:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.225 0.0.0.0 UG 100 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
I can ping the gateway:
administrator@nrj-linux-staging:~$ ping 10.0.0.225
PING 10.0.0.225 (10.0.0.225) 56(84) bytes of data.
64 bytes from 10.0.0.225: icmp_req=1 ttl=255 time=0.354 ms
64 bytes from 10.0.0.225: icmp_req=2 ttl=255 time=0.310 ms
64 bytes from 10.0.0.225: icmp_req=3 ttl=255 time=0.314 ms
64 bytes from 10.0.0.225: icmp_req=4 ttl=255 time=0.325 ms
64 bytes from 10.0.0.225: icmp_req=5 ttl=255 time=0.431 ms
This box has an identical interface configuration. It is also worth noting that other boxes on this same network apparently have an identical problem.
The DNS is pointed to the gateway.
The firewall on this network is set up to allow secure shell outgoing, ip outgoing, etc. I am not sure what else is required to get this working. I can provide you with whatever else you guys need. I am using a cisco firewall with the ADSM utility via a windows box. Thanks for the help
Here is how NAT is configured RIGHT NOW:
We have two sites, we will call them site a and site b.
Site b is in the building that our developers work. Site A is production, and contains the firewall. The root domain name of our product points to the static global IP of Server 'A'. On the firewall, when traffic on the ssh service is detected as incoming to the address of Server 'A', it translates it to keep the original source and set the destination to server 'B' which is the linux box that I need to be able to secure shell out of back to site 'B'. There is also a NAT rule that translates outgoing packets with a source of server 'b' to have a source of server 'a' and keep the original destination.
Thanks again for the help
Best Answer
If all of the subnet can't go out, it is probably a firewall issue. Since you're using ASDM, you have an ASA firewall. Check the access list on the interface with 10.0.0.225 (assuming that is your ASA) and make sure you have ICMP and SSH allowed. Remember: ASA rules are automatically reflexive, meaning that any rule only needs to be set in the direction it is started (in your case from 10.0.0.0/24 to any, protocol ssh and ICMP). If you want to check whether or not the ASA should forward the packet, you can use
packet tracer
under tools in your ASDM. Two tips:Show Animation
, since all it does is show an animation and make you wait longer.