Port 22 not communicating between Netwitness Head and VLC ?
As per RSA firewall requirements the port 22 need to be open between Netwitness Head and VLC we facing issue in that. Please find the details below.
1) Our VLC is in remote location and Public IP NAT done in firewall level for Both VLC and Netwitness Head.
2) While trying to curl -v <VLC IP>:22 we getting connection timed out we have checked and done troubleshooting in firewall level with help our network team and they said configuration is fine in firewall level and Network team suggesting us to chcek in host level. So we checked all the services and all ports are communicating fine except port 22.
Kindly suggest on this how we proceed further.
Note - We haven't done any IpTables level/Host level NAT configuration.
To repeat what you said just so I have the understanding and haven't missed anything with an example because every NAT case I find is special.
VLC IP address on the interface is 192.168.1.50 (The real address)
VLC Public IP address is 22.214.171.124 (The NATed IP)
This translation is being handled on the firewall level so no iptable rules have been implemented on the host level. Thus, it should function from Admin Server to ssh firstname.lastname@example.org and have no problems. Is this what you are doing?
An extra layer of certainty you can have is implementing the IP table rule on the device you are trying to communicate from (Admin Server)
iptables -t nat -A OUTPUT -p tcp -d 192.168.1.50 --dport 22 -j DNAT --to-destination 126.96.36.199:22
The above says that anything TCP meant to go to 192.168.1.50 on port 22 should be routed instead to 188.8.131.52 on port 22
When you are done with creating new rules, do:
service iptables save
Please note that you need to follow this KB for these rules to persist after an upgrade.
The last thing I'll add is you may want to tcpdump the two hosts at the same time but be careful as you are probably going to tcpdump port 22 and you may see your own traffic as a result (because you are probably connected via SSH) so be smart with your filters.