[isalist] Re: Publishing a SSH Server (The solution)

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Sat, 13 May 2006 11:05:16 -0500

Hi Jim,
 
But I'm still not sure how it explains why adding a ROUTE Network Rule
solves the problem. Since the Network Rules are evaluated from the top
down, I would think that the NAT Network Rule would never trigger. So,
in a publishing situation, if the ROUTE Network Rule is active, then the
connection from the external host would have to be made to the actual
public IP address of the SSH server, and then ISA would use its "port
stealing" feature to grab the connection and forward it to the SSH
Server.
 
I'm so confused :)
 
Thanks!
Tom
 
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/> 
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
MVP -- ISA Firewalls

 


________________________________

        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
        Sent: Saturday, May 13, 2006 10:21 AM
        To: isalist@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Publishing a SSH Server (The solution)
        
        
        According to RFC 4254, there are many instances where NAT could
break SSH traffic.
        The protocol itself tolerates NAT just fine for the most part,
but a few extensions to the base protocol don't.
        http://www.faqs.org/rfcs/rfc4254.html is your point of
reference...

________________________________

        From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thomas W Shinder
        Sent: Thu 5/11/2006 8:30 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Publishing a SSH Server (The solution)
        
        
        Wow. that is really whack. I hope we can someday figure out why
this works!
         
        Tom
         
        Thomas W Shinder, M.D.
        Site: www.isaserver.org <http://www.isaserver.org/> 
        Blog: http://blogs.isaserver.org/shinder/
        Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
        MVP -- ISA Firewalls

         


________________________________

                From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Wilmar Perez
                Sent: Thursday, May 11, 2006 10:16 AM
                To: isalist@xxxxxxxxxxxxx
                Subject: [isalist] Re: Publishing a SSH Server (The
solution)
                
                

                Hello Tom

                 

                No, I didn't have to delete the NAT rule.  Right now it
is working with the Route rule before the NAT rule, that is, the Route
rule is higher.

                 

                Thanks

                 

                Wilmar

        All mail to and from this domain is GFI-scanned.

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 05-2006