PDA

View Full Version : SSH Tunnelling?


leaded
7th June 2006, 05:43 AM
I'm not sure I need to know about SSH Tunneling, but let me explain my scenario:

Up until this month, if I want to work from home it was easy. I used the Cisco VPN client to connect to our network and I could do anything I needed it, as if I were in the office. If a port like SSH was block on a certain production server, I can first SSH into my work desktop and then ssh into the production server. Basically, I always SSH'd into my desktop as soon as I connected to the VPN.

Well, June rolled around and the contractor changed. Those who stayed all work for a new company. We moved our stuff down the street and we'll all on a new network. We'll still connected to [big gov't agency]'s network, but now the firewall rules freaking suck. The VPN has always connected right into [big gov't agency]'s network, and the [big gov't agency] could access any computer in our office with no problems. Now, in the new world, the only ports they can access for port 80 and 443, and that's only if they are on a certain subnet.

I'm kind of a rookie to networking, but I've been using Linux for a few years now. That's why I need some ideas here. I can deal with the security aspects later, but I'd like to know if this is possible:
Connect to the [big gov't agency] network using Cisco VPN.
SSH to a machine in the open subnet with port 80 or 443.
SSH into my desktop machine on another subnet
Have access to any machine in the network in my network as if I were at my desk.

Now, this still isn't ideal. If we want to access production servers in the main [big gov't agency] network, we have to VPN in, even if we're in the office. We're still having problems because some servers don't allow connections via the VPN (a problem someone's working on, since the only access to those boxes is LOCAL, stupid firewall rules). Also, I use VMware Server for development over ports 902 and 904, and that might not work. But if I wanted to SSH into my desktop from home; could it be done?

<gripe>This is one of the problems with government agencies. They're so concerned about impressing the CIO or whoever that they lock down everything so tight that nothing can be done. I mean, aren't the Cisco VPNs with the SecurID tokens supposed to be pretty good? This contract change is making it very difficult to do the things I used to be able to do. Like I said before, some production boxes aren't accessible anymore. I used to be able to, from my desk, SSH into them and make changes or whatever. Now, AT WORK, I can't access it at all. Ugh.</gripe>

Thanks in advance!

tebbens
7th June 2006, 06:20 AM
I'm kind of a rookie to networking, but I've been using Linux for a few years now. That's why I need some ideas here. I can deal with the security aspects later, but I'd like to know if this is possible:
Connect to the [big gov't agency] network using Cisco VPN.
SSH to a machine in the open subnet with port 80 or 443.
SSH into my desktop machine on another subnet
Have access to any machine in the network in my network as if I were at my desk.

You will not get access to anything unless your allowed to VPN in.
Does your VPN client still connect ?

If you can VPN in to the open subnet
and if the new firewall rules allow port 80 or 443 in AND out
and if you can setup an SSH server on that open subnet to use ports 80 or 443
and if that server can SSH to your desktop machine
then you will have no problem ! :)


Now, this still isn't ideal. If we want to access production servers in the main [big gov't agency] network, we have to VPN in, even if we're in the office. We're still having problems because some servers don't allow connections via the VPN (a problem someone's working on, since the only access to those boxes is LOCAL, stupid firewall rules). Also, I use VMware Server for development over ports 902 and 904, and that might not work. But if I wanted to SSH into my desktop from home; could it be done?

Unless you can VPN in, nothing else will work.

Having your desktop call out to you is a whole different story, and probably get you fired.

leaded
7th June 2006, 01:09 PM
I won't do anything stupid. I'm more just interested in the "can I" versus "I will" I'll talk to the security guys about what you just said and see what they think. Maybe it one of those things like "policy says ports 80 and 443 are open; doesn't say what programs have to run on those ports." :) Thanks!

Uslar Travel Photos - Kawaguchi Photos - Moreni