All Juniper related discussions.
plex
New Member
Posts:
1
Joined:
Wed Aug 31, 2011 9:26 pm

Help! Hosting multiple SSH servers behind single public IP

Wed Aug 31, 2011 9:37 pm

Hi. First post on the forum - not sure how active this community is, but I'm optimistic! I'm a relatively new/young network admin, but eager to learn and be taught.

Looking for help with simultaneous network *and* port translation on Juniper SSG-550 with single public IP available. Changing the listening port on the SSH servers is *not* an option.

Specifically, I'm trying to do:

(public) 1.1.1.1:2116 -> (private) 192.168.1.101:22
(public) 1.1.1.1:2117 -> (private) 192.168.1.102:22
(public) 1.1.1.1:2118 -> (private) 192.168.1.103:22
etc...

I've looked through the cookbook but I'm new to MIPs and VIPs; I've only worked with DIPs, besides some of my colleagues :)

I know with DIPs (1-to-1) I would do:
set interface ethernet0/2 dip $some_dip_id 1.1.1.1 1.1.1.1 fix-port
set route 1.1.1.1/32 interface ethernet0/1 gateway 192.168.1.101
set policy from "Untrust" to "DMZ" "Any" "1.1.1.1/32" "SSH" nat dst ip 192.168.1.101 permit
set policy from "DMZ" to "Untrust" "192.168.1.101/32" "ANY" "SSH" nat src dip-id $some_dip_id permit


but this doesn't cover my sitation, because I only have 1 public IP address to run multiple ssh servers behind.
I've come up with this, but looking for verification before I implement.

Code: Select all
Set arp NAT-DST
Set service “SSH-2116-192.168.1.101” protocol tcp src 1024-65535 dst 2116
Set policy from “Untrust” to “Untrust” “ANY” “1.1.1.1/32” “SSH-2116-192.168.1.101” nat dst ip 192.168.1.101 port 22 permit


I'm not sure what the "set arp NAT-DST statement does either, if someone could kindly explain.

Thank you!

-plex

User avatar
burnyd
Post Whore
Posts:
3159
Joined:
Fri Nov 13, 2009 5:15 pm
Certs:
CCIE R&S/SP,CCNP-SP,JNCIA,VCP510,VCA-DCV

Re: Help! Hosting multiple SSH servers behind single public

Thu Sep 01, 2011 2:36 am

working with Netscreens I cannot think of a possible solution, your looking to load balance. Normally where I work in this situation I would have 1.1.1.1 MIP to 192,168.1.x. allow ssh to it.... then I would o to our load balancer and add 192.168.1.x as the load balancer IP to load balance to the 4 different nodes.


A VIP on the netscreens will take for example 1.1.1.1:80 and sent it to 192.168.1.1 if it sees it on port 80. You might want to use 1.1.1.1:3389 and that will send it to 192.168.1.50 a different server depending on the destination port.
http://danielhertzberg.wordpress.com - I blog about networks!

User avatar
mellowd
CCIE #38070
Posts:
13814
Joined:
Wed Jun 18, 2008 7:49 am
Certs:
CCIE (RS,SP), JNCIE-SP, BC-/SPNE/NP

Re: Help! Hosting multiple SSH servers behind single public

Thu Sep 01, 2011 2:42 am

You can indeed do this with a VIP.

Create the VIP
Create a VIP service for each server. Map external:2116 --> internal:22 and so on
Create policy allowing traffic to the VIP

User avatar
burnyd
Post Whore
Posts:
3159
Joined:
Fri Nov 13, 2009 5:15 pm
Certs:
CCIE R&S/SP,CCNP-SP,JNCIA,VCP510,VCA-DCV

Re: Help! Hosting multiple SSH servers behind single public

Thu Sep 01, 2011 12:11 pm

^^ Yes but that would require changing source port. I think he said that was not an option.
http://danielhertzberg.wordpress.com - I blog about networks!

User avatar
mellowd
CCIE #38070
Posts:
13814
Joined:
Wed Jun 18, 2008 7:49 am
Certs:
CCIE (RS,SP), JNCIE-SP, BC-/SPNE/NP

Re: Help! Hosting multiple SSH servers behind single public

Thu Sep 01, 2011 12:18 pm

You would not need to change the servers listening port. In the OP's post he did mention that the source port can change

Specifically, I'm trying to do:

(public) 1.1.1.1:2116 -> (private) 192.168.1.101:22
(public) 1.1.1.1:2117 -> (private) 192.168.1.102:22
(public) 1.1.1.1:2118 -> (private) 192.168.1.103:22
etc...

Morphic
New Member
Posts:
21
Joined:
Wed May 05, 2010 3:27 am
Certs:
CCNA, VCP3&5 ,JNCIS-FWV, JNCIS-SEC CCNP

Re: Help! Hosting multiple SSH servers behind single public

Sun Nov 06, 2011 4:58 am

Totally right, VIPs are the way to go.

'

Return to Juniper Networking

Who is online

Users browsing this forum: No registered users and 5 guests