Proxy and Port Forwarding Devices

[VanDyke82nev]

I have 30 sites behind 30 Firewalls/Gateways/ASAs.

For every site, I regularly SSH to a few boxes behind the firewalls. There are a few appliances also behind the firewalls with web-page-only information on them that would make my job much easier, but I can't access them with a browser because of the firewall.

I have been doing some reading and it looks like I can use SecureCRT to connect to the routers behind the firewalls, and then map some port on my local machine to forward through my SecureCRT connection to the router which then forwards to the appliance webpage, so I can pull up the webpage on my desktop machine.

I have read that the remote machine I'm connecting to as a proxy has to have 'remote port forwarding' enabled.
Do routers typically have this 'on' or 'off'?
I can log onto the routers. How can I tell if the router has it enabled?

No 'remote port forwarding' means, no proxy, right? Just being able to SSH to a device doesn't mean I can use it as a proxy?

What devices generally work/don't work?
Linux servers?
Windows servers?
routers?
web servers?
ASAs?
Gateways?
VMs?

thank you

[bgagnon]

Hi VanDyke82nev,

Quote:

I have been doing some reading and it looks like I can use SecureCRT to connect to the routers behind the firewalls, and then map some port on my local machine to forward through my SecureCRT connection to the router which then forwards to the appliance webpage, so I can pull up the webpage on my desktop machine.

I have read that the remote machine I'm connecting to as a proxy has to have 'remote port forwarding' enabled.

What information have you been reading?

As far as the inquiries as to the capabilities/configuration of specific devices, hopefully other members of the community can help you with that.

[VanDyke82nev]

https://www.vandyke.com/support/tips/socksproxy.html

[VanDyke82nev]

(I am unable to edit the page above)

I've been reading pages like the link on the VanDyke site (above), and as well as pages elsewhere on SSH proxy, VPNs, etc. It looks like SecureCRT and the other clients do it as well, and even just the command line can set up SSH proxy.

But what's not exactly clear is what hosts work "for connecting to".

I can first connect to any of my hosts, and then ping or SSH to any of these machines that have the logs on the web pages, but the info on these pages is only available from a web page, not SSH.

I guess another option would be if CURL or WGET, or any other CLI browser exists on the SSH host machine, I could use that (maybe) but that's a far crappier solution than just relaying traffic from Firefox.

[bgagnon]

Hi VanDyke82nev,

Quote:

I have read that the remote machine I'm connecting to as a proxy has to have 'remote port forwarding' enabled.

I am not seeing where the SOCKS proxy tip indicates remote port forwarding is needed. It talks about setting up a "regular" (ie: local, not remote) port forward with dynamic forwarding via SOCKS enabled.

[VanDyke82nev]

Hi Brenda,

https://www.vandyke.com/support/tips/socksproxy.html

I was going by this statement in the fourth paragraph.

>>Note that the term “gateway server” used here refers to any SSH server that supports port forwarding functionality.

Maybe I don't understand this topic well enough, but it's telling me that just because I can SSH to something does not mean it will forward my web traffic to another machine like I want. It has to support port forwarding.

Do I misunderstand?

I have permission to make config changes to these routers, but I have to get everything approved unless it's an outage problem, I doubt they will let me make any changes just to make my job easier.

[bgagnon]

Hi VanDyke82nev,

That statement is referencing just port forwarding. Remote port forwarding is different.

Quote:

Maybe I don't understand this topic well enough, but it's telling me that just because I can SSH to something does not mean it will forward my web traffic to another machine like I want. It has to support port forwarding.

Do I misunderstand?

No, you don't misunderstand, you are correct. Port forwarding (and remote port forwarding) are permissions that can be granted by an SSH server, but just having the ability to SSH to that server does not necessarily mean you have port forwarding privileges.

I am not a router, switch, appliance, etc. expert by any means but those devices do not always have a full-featured SSH server that includes port forwarding functionality.

[VanDyke82nev]

So, ... hmm, how can I tell?

I've seen SSH proxy setup tutorials, and they all seem to go to either a Linux box or a router that's running DDWRT or Tomato.

I haven't seen anything that says "do this <xxx xxx xxx> to see if this host will work for you."

In my search I am seeing "reverse SSH tunnel" ... that's apparently another tool. I'm not sure what benefits it provides though.

[bgagnon]

Hi VanDyke82nev,

You can try a port forward using dependent session functionality:

Changes in SecureCRT 7.1 (Beta 1) -- February 26, 2013
------------------------------------------------------

New features:

• Added support for dependent sessions so that a connection can be made to a jump host or SSH gateway before the session is connected.

If the server does not support it, you should get a fairly obvious error in Trace Options output. Enable Trace Options from File menu before connecting the target/end device session.

• Create a session to the jump host
• Create a session to the target/end device
• In the target/end device session, in the Connection/SSH2 category, from Firewall dropdown, choose Select Session..., then select the jump host session
• Try to connect target/end device session

[VanDyke82nev]

Hey Brenda,

That looks very promising. I hope to try that this afternoon.

Thank you.