Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > General

Reply
 
Thread Tools Display Modes
  #1  
Old 09-08-2020, 04:50 PM
mr.dk mr.dk is offline
Registered User
 
Join Date: Nov 2016
Posts: 16
Unhappy Ignored - Port Forward Filter - Version 8.7.3

Hello,

Not sure if I'm doing this correctly...
SecureCRT - Version 8.7.3 (x64 build 2279)


I'm trying to allow another guest to access the SecureCRT local port forwarding.

[PC (A) TELNET] -- > [PC (B) SecureCRT port 6200 ] -- > [Server Port 6200]

I have setup port forwarding from PC (B) to the server ... however from reading and testing i can see the listen port 127.0.0.1:6200. Reading I see that I will need to further modify <session>.ini and modify the following...

From:

S:"Port Forward Filter"=allow,127.0.0.1,0 deny,0.0.0.0,0
S:"Reverse Forward Filter"=allow,127.0.0.1,0 deny,0.0.0.0,0

To:

S:"Port Forward Filter"=allow,0.0.0.0/0.0.0.0,0 allow,192.168.100.155,6200
S:"Reverse Forward Filter"=allow,0.0.0.0/0.0.0.0,0 allow,192.168.100.155,6200

However testing ( and logging ) I can verify the port is only opened for listening on 127.0.0.1 and not 0.0.0.0 to allow for connections?

I also tested changing the 127.0.0.1,0 to 128.0.0.1,0 <- and the port remained open on 127.0.0.1 and did not move to 128.0.0.1 as expected. Thus from the data it seems this version of SecureCRT does not work as intended OR am I just missing configuration needed?


Working Log:
TELNET:
telnet 127.0.0.1 6200

Welcome to Microsoft Telnet Client Escape Character is 'CTRL+]'

SECURECRT
[LOCAL] : Starting port forward from 127.0.0.1 on local 127.0.0.1:6200 to remote wtllab-productlicense-1.phaedrus.sandvine.com:6200.
[LOCAL] : SEND[1]: Send SSH_MSG_CHANNEL_OPEN("direct-tcpip")
[LOCAL] : RECV[1]: SSH_MSG_CHANNEL_OPEN
[LOCAL] : SEND[1]: SSH_MSG_CHANNEL_EOF
[LOCAL] : SEND[1]: channel close
[LOCAL] : RECV[1]: channel close.
[LOCAL] : RECV[1]: SSH_MSG_CHANNEL_CLOSE, closing socket.


Non-Working Log:

TELNET:
telnet 192.168.100.155 6200
Connecting To 192.168.100.155...Could not open connection to the host, on port 6200: Connect failed

SECURECRT:

^^ Nothing



Hummm .... Any thoughts?

Thank you.
Mr.D
__________________
--------------------------------------------------------------

OS Name Microsoft Windows 10 Pro
Version 10.0.14393 Build 14393
Processor Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz, 4001 Mhz, 4 Core(s), 8 Logical Processor(s)
Installed Physical Memory (RAM) 64.0 GB
SecureCRT Version 8.7.0 (x64 build 1183) - Official Release - September 8, 2016
Reply With Quote
  #2  
Old 09-08-2020, 06:24 PM
jjh jjh is offline
VanDyke Customer Support
 
Join Date: Feb 2004
Posts: 815
Hello mr.dk.

When you configure standard SSH2 port forwarding in your session, you are configuring SecureCRT to listen on the specified port and forward the traffic along through the SSH2 server that you are connected to, to the target machine.

So for example, if you are connected to a server named "Server1" with your SecureCRT session and the machine that uses port 6200 is on a machine named "Server2", you would connect to localhost on port 6200 and the traffic would be forwarded through Server1 and end up at server2.

The default port forward filter looks like the following, which would allow the traffic from the local loopback addresses in the 127.0.0.0 range:

S:"Port Forward Filter"=allow,127.0.0.0/255.0.0.0,0 deny,0.0.0.0/0.0.0.0,0

All other IP addresses would be denied.

I would expect that if you edited the port forward filter to look like the following, the IP address 192.168.100.155 would be allowed on all ports:

S:"Port Forward Filter"=allow,127.0.0.0/255.0.0.0,0 allow,192.168.100.155/255.255.255.255,0 deny,0.0.0.0/0.0.0.0,0

I would not recommend the change that you made to the reverse forward filter.

I would have expected the change that you made to be successful, but it seems too permissive. The "Allow" that you made for 192.168.100.155 would be redundant because you are already allowing connections from all IP addresses on all ports.

The other part of the problem you are experiencing is that SecureCRT is listening on the local loopback address only (IP address 127.0.0.1), which is only accessible to the local machine. You will need to change the port forward settings to listen on 0.0.0.0 (all IP addresses that belong to your machine, both the localhost IP addresses and the LAN private IP address), so that other machines on the network will have access to the port forward.

In the "Local" section of the "Local port forward properties" dialog you can enable the "Manually select local IP address on which to allow connections", then enter 0.0.0.0 as the IP address.

I have attached a screenshot of what I am referring to.

What does your port forward look like for the session?

Thank you.

JJH
Attached Images
File Type: png SCRT_LocalPortForwardingConfigurationExample.png (392.7 KB, 24 views)

Last edited by jjh; 09-11-2020 at 01:32 PM. Reason: Edited to provide more information
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 11:11 AM.