using a remote machine as a "relay"? tunnel with SSH?

Hello,

I hope this is a suitable place to post such a question and that the
explanation here makes sense.

I have an app on server A in London that opens a local port and
connects to a port on a remote machine. Fairly simple.

There is a server B in Milan that is on a network where a second
application resides that we want to connect our app to. This server
has an external interface for us to connect to and an internal
(192.168.x.y) interface on its LAN. I have set a static route so that
it can reach a 10.x.y.z address on another LAN (there is some NAT-fu
going on through the gateway 192.168.0.1, I'm not sure).

So

Server A ------ firewall ----- Server B ------ 10.128.242.63
London Milan
[ Milan network ]

The app can't run on Server B and the Italians will only allow access
via Server B.

Is this a ridiculous scenario first of all?! If not any ideas?

I thought about setting an SSH tunnel but AFAIK there then has to be
some
port at Server B that I can forward local (at Server A) requests to
which there won't be if the app isn't running there. I guess I need
some connection open to the 10.x address at the end of the chain for
this to work?

Should I start thinking about a more hi-tech solution and using our
Cisco PIX to open a "VPN" to the box in Milan?

Ian

(E-Mail Removed) wrote:

>Hello,
>
>I hope this is a suitable place to post such a question and that the
>explanation here makes sense.
>
>I have an app on server A in London that opens a local port and
>connects to a port on a remote machine. Fairly simple.
>
>There is a server B in Milan that is on a network where a second
>application resides that we want to connect our app to. This server
>has an external interface for us to connect to and an internal
>(192.168.x.y) interface on its LAN. I have set a static route so that
>it can reach a 10.x.y.z address on another LAN (there is some NAT-fu
>going on through the gateway 192.168.0.1, I'm not sure).
>
>So
>
>Server A ------ firewall ----- Server B ------ 10.128.242.63
>London Milan
> [ Milan network ]
>
>The app can't run on Server B and the Italians will only allow access
>via Server B.
>
>Is this a ridiculous scenario first of all?! If not any ideas?
>
>I thought about setting an SSH tunnel but AFAIK there then has to be
>some
>port at Server B that I can forward local (at Server A) requests to
>which there won't be if the app isn't running there. I guess I need
>some connection open to the 10.x address at the end of the chain for
>this to work?
>
>Should I start thinking about a more hi-tech solution and using our
>Cisco PIX to open a "VPN" to the box in Milan?
>
>Ian
>
>
>

Hi Ian,

If I understand correctly, you want to connect from Server_A to the
port P of the machine 10.128.242.63, right ? I also assume that there is
an SSH server running on Server_B. Then you should run this on Server_A:

ssh -L <port_A>:10.128.242.63:<port_P> -N user_name@Server_B

where <port_A> is whatever port you want, but above 1024. Then, any
connection from Server_A to localhost:<port_A> is equivalent to a
connection from Server_A to 10.128.242.63:<port_P>.
On Server_B you don't need any port open, except for SSH.

Mihai

Mihai Osian wrote:

> (E-Mail Removed) wrote:
>
>> Hello,
>>
>> I hope this is a suitable place to post such a question and that the
>> explanation here makes sense.
>>
>> I have an app on server A in London that opens a local port and
>> connects to a port on a remote machine. Fairly simple.
>>
>> There is a server B in Milan that is on a network where a second
>> application resides that we want to connect our app to. This server
>> has an external interface for us to connect to and an internal
>> (192.168.x.y) interface on its LAN. I have set a static route so that
>> it can reach a 10.x.y.z address on another LAN (there is some NAT-fu
>> going on through the gateway 192.168.0.1, I'm not sure).
>>
>> So
>>
>> Server A ------ firewall ----- Server B ------ 10.128.242.63
>> London Milan
>> [ Milan network ]
>>
>> The app can't run on Server B and the Italians will only allow access
>> via Server B.
>>
>> Is this a ridiculous scenario first of all?! If not any ideas?
>>
>> I thought about setting an SSH tunnel but AFAIK there then has to be
>> some
>> port at Server B that I can forward local (at Server A) requests to
>> which there won't be if the app isn't running there. I guess I need
>> some connection open to the 10.x address at the end of the chain for
>> this to work?
>>
>> Should I start thinking about a more hi-tech solution and using our
>> Cisco PIX to open a "VPN" to the box in Milan?
>>
>> Ian
>>
>>
>>
>
> Hi Ian,
>
> If I understand correctly, you want to connect from Server_A to the
> port P of the machine 10.128.242.63, right ? I also assume that there
> is an SSH server running on Server_B. Then you should run this on
> Server_A:
>
> ssh -L <port_A>:10.128.242.63:<port_P> -N user_name@Server_B
>
> where <port_A> is whatever port you want, but above 1024. Then, any
> connection from Server_A to localhost:<port_A> is equivalent to a
> connection from Server_A to 10.128.242.63:<port_P>.
> On Server_B you don't need any port open, except for SSH.
>
> Mihai
>
>

There is also a permanent solution, which involves opening an
extra-port on Server_B. On Server_B you can run:

ssh -L <port_B>:10.128.242.63:<port_P> -g -N user_name@localhost

and then any connection from Server_A to Server_B:<port_B> will go to
10.128.242.63:<port_P>. Don't forget to open <port_B> in the firewall on
Server_B.

Mihai

Mihai Osian wrote:
> Mihai Osian wrote:
>
> > (E-Mail Removed) wrote:
> >
> >> Hello,
> >>
> >> I hope this is a suitable place to post such a question and that the
> >> explanation here makes sense.
> >>
> >> I have an app on server A in London that opens a local port and
> >> connects to a port on a remote machine. Fairly simple.
> >>
> >> There is a server B in Milan that is on a network where a second
> >> application resides that we want to connect our app to. This server
> >> has an external interface for us to connect to and an internal
> >> (192.168.x.y) interface on its LAN. I have set a static route so that
> >> it can reach a 10.x.y.z address on another LAN (there is some NAT-fu
> >> going on through the gateway 192.168.0.1, I'm not sure).
> >>
> >> So
> >>
> >> Server A ------ firewall ----- Server B ------ 10.128.242.63
> >> London Milan
> >> [ Milan network ]
> >>
> >> The app can't run on Server B and the Italians will only allow access
> >> via Server B.
> >>
> >> Is this a ridiculous scenario first of all?! If not any ideas?
> >>
> >> I thought about setting an SSH tunnel but AFAIK there then has to be
> >> some
> >> port at Server B that I can forward local (at Server A) requests to
> >> which there won't be if the app isn't running there. I guess I need
> >> some connection open to the 10.x address at the end of the chain for
> >> this to work?
> >>
> >> Should I start thinking about a more hi-tech solution and using our
> >> Cisco PIX to open a "VPN" to the box in Milan?
> >>
> >> Ian
> >>
> >>
> >>
> >
> > Hi Ian,
> >
> > If I understand correctly, you want to connect from Server_A to the
> > port P of the machine 10.128.242.63, right ? I also assume that there
> > is an SSH server running on Server_B. Then you should run this on
> > Server_A:
> >
> > ssh -L <port_A>:10.128.242.63:<port_P> -N user_name@Server_B
> >
> > where <port_A> is whatever port you want, but above 1024. Then, any
> > connection from Server_A to localhost:<port_A> is equivalent to a
> > connection from Server_A to 10.128.242.63:<port_P>.
> > On Server_B you don't need any port open, except for SSH.
> >
> > Mihai
> >
> >
>
> There is also a permanent solution, which involves opening an
> extra-port on Server_B. On Server_B you can run:
>
> ssh -L <port_B>:10.128.242.63:<port_P> -g -N user_name@localhost
>
> and then any connection from Server_A to Server_B:<port_B> will go to
> 10.128.242.63:<port_P>. Don't forget to open <port_B> in the firewall on
> Server_B.
>
> Mihai

Hi Mihai,

thanks! Both of these solutions work great. I understand that the first
involves keeping the SSH tunnel open on Server_A which I can just close
when I don't need the app running. For the second (permanent) solution,
can I undo this at a later time?

Ian

(E-Mail Removed) wrote:
> Mihai Osian wrote:
>
>>Mihai Osian wrote:
>>
>>
>>>(E-Mail Removed) wrote:
>>>
>>>
>>>>Hello,
>>>>
>>>>I hope this is a suitable place to post such a question and that the
>>>>explanation here makes sense.
>>>>
>>>>I have an app on server A in London that opens a local port and
>>>>connects to a port on a remote machine. Fairly simple.
>>>>
>>>>There is a server B in Milan that is on a network where a second
>>>>application resides that we want to connect our app to. This server
>>>>has an external interface for us to connect to and an internal
>>>>(192.168.x.y) interface on its LAN. I have set a static route so that
>>>>it can reach a 10.x.y.z address on another LAN (there is some NAT-fu
>>>>going on through the gateway 192.168.0.1, I'm not sure).
>>>>
>>>>So
>>>>
>>>>Server A ------ firewall ----- Server B ------ 10.128.242.63
>>>>London Milan
>>>> [ Milan network ]
>>>>
>>>>The app can't run on Server B and the Italians will only allow access
>>>>via Server B.
>>>>
>>>>Is this a ridiculous scenario first of all?! If not any ideas?
>>>>
>>>>I thought about setting an SSH tunnel but AFAIK there then has to be
>>>>some
>>>>port at Server B that I can forward local (at Server A) requests to
>>>>which there won't be if the app isn't running there. I guess I need
>>>>some connection open to the 10.x address at the end of the chain for
>>>>this to work?
>>>>
>>>>Should I start thinking about a more hi-tech solution and using our
>>>>Cisco PIX to open a "VPN" to the box in Milan?
>>>>
>>>>Ian
>>>>
>>>>
>>>>
>>>
>>> Hi Ian,
>>>
>>> If I understand correctly, you want to connect from Server_A to the
>>>port P of the machine 10.128.242.63, right ? I also assume that there
>>>is an SSH server running on Server_B. Then you should run this on
>>>Server_A:
>>>
>>>ssh -L <port_A>:10.128.242.63:<port_P> -N user_name@Server_B
>>>
>>>where <port_A> is whatever port you want, but above 1024. Then, any
>>>connection from Server_A to localhost:<port_A> is equivalent to a
>>>connection from Server_A to 10.128.242.63:<port_P>.
>>> On Server_B you don't need any port open, except for SSH.
>>>
>>>Mihai
>>>
>>>
>>
>> There is also a permanent solution, which involves opening an
>>extra-port on Server_B. On Server_B you can run:
>>
>>ssh -L <port_B>:10.128.242.63:<port_P> -g -N user_name@localhost
>>
>>and then any connection from Server_A to Server_B:<port_B> will go to
>>10.128.242.63:<port_P>. Don't forget to open <port_B> in the firewall on
>>Server_B.
>>
>>Mihai
>
>
> Hi Mihai,
>
> thanks! Both of these solutions work great. I understand that the first
> involves keeping the SSH tunnel open on Server_A which I can just close
> when I don't need the app running.

That's right.

For the second (permanent) solution,
> can I undo this at a later time?

The second solution is "permanent" in the sense that when you run the
command line above (ssh -L ...), it will run indefinitely (it won't
return to the command prompt). But if you press Ctrl-C, or close the
console or kill the ssh process in some other way, the tunnel will die
automatically.

Mihai

>
> Ian
>

Mihai Osian wrote:
> (E-Mail Removed) wrote:
> >
> >
> > Hi Mihai,
> >
> > thanks! Both of these solutions work great. I understand that the first
> > involves keeping the SSH tunnel open on Server_A which I can just close
> > when I don't need the app running.
>
> That's right.

Actually I think I can get round this by using the -f (fork in
background) option.

> For the second (permanent) solution,
> > can I undo this at a later time?
>
> The second solution is "permanent" in the sense that when you run the
> command line above (ssh -L ...), it will run indefinitely (it won't
> return to the command prompt). But if you press Ctrl-C, or close the
> console or kill the ssh process in some other way, the tunnel will die
> automatically.

I'm thinking that for this way of doing it, it would be better too to
restrict it to a certain user/host/command via /etc/ssh/ssh_config?

Thanks!
Ian