Re: [FW-1] SSH VPN over non-standard port

Subject:	Re: [FW-1] SSH VPN over non-standard port
From:	Lindsay Hill <lindsay.k.hill AT GMAIL DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Tue, 29 Nov 2005 20:18:07 +0000

Quick points:

* Are you using NGX? That offers you the SmartDefense option ofblocking ssh over non-standard ports. You can also block sshv1 fromabout R54 onwards.


* What do your logs say? Make sure you also check your SmartDefense logs

* Is DNS all OK?

* What does tcpdump/fw monitor show you?

 - Lindsay

On 29 Nov 2005, at 19:49, Sean Donaghey/HDGH wrote:

Hi Reinhard,

I changed the https service Protocol-Type to "None", and thenvendor still

cannot SSH to their box.  Any other ideas?

Thanks,

Sean




Reinhard Stich <r.stich AT INTERNET-SECURITY DOT AT>
Sent by: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
11/24/2005 10:54 AM
Please respond to
Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>


To
FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
cc

Subject
Re: [FW-1] SSH VPN over non-standard port






hi,

fw1 tries to deny tunneling over ssl - and http on port 443 does not
look like ssl ... so this is blocked.

you should define https as protocol-type "none" ...

cheers
reinhard

At 14:58 24.11.2005, you wrote:

Hi,
I have a VPN user trying to SSH into a box over port 443, and itis notworking through our VPN. I can SSH to the same box over port 443when onthe internal network. The connection attempt is accepted to theSSH box,but the key prompt never comes up to accept. Does Checkpointallow SSH
access when not using the standard port 22?

Thanks,

Sean



The information contained in this e-mail message is confidential and
protected by law.  The information is intended only for the person or
organization addressed in this e-mail.  If you share or copy the
information you may be breaking the law.  If you have received this

e-mail

by mistake, please notify the sender of the e-mail by the telephone

number

listed on this e-mail. Please destroy the original; do not e-mailback

the information or keep the original.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


--
Reinhard Stich  ASSIST  R.Stich AT internet-security DOT at
Internet Security AG,      1150 Wien, Johnstrasse 29
Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================




The information contained in this e-mail message is confidential and
protected by law.  The information is intended only for the person or
organization addressed in this e-mail.  If you share or copy the

information you may be breaking the law. If you have received thise-mailby mistake, please notify the sender of the e-mail by the telephonenumberlisted on this e-mail. Please destroy the original; do not e-mailback

the information or keep the original.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] SSH VPN over non-standard port, Sean Donaghey/HDGH Re: [FW-1] SSH VPN over non-standard port, Reinhard Stich Re: [FW-1] SSH VPN over non-standard port, Sean Donaghey/HDGH Re: [FW-1] SSH VPN over non-standard port, joe smith Re: [FW-1] SSH VPN over non-standard port, Lindsay Hill <=

Previous by Date:	Re: [FW-1] SSH VPN over non-standard port, joe smith
Next by Date:	[FW-1] NETDEV WATCHDOG, Vijayendra Sharma
Previous by Thread:	Re: [FW-1] SSH VPN over non-standard port, joe smith
Next by Thread:	[FW-1] CCP broadcasts, Andriy Malyuk
Indexes:	[Date] [Thread] [Top] [All Lists]