# Can't get through PPP NAT



## Ajax (Jan 20, 2013)

My ppp.conf has these lines, and while first line works, next one doesn't let external users to access ssh on internal machine.

```
nat port tcp 192.168.1.5:22 22122
	nat port tcp 192.168.1.8:22 25290
```
Moreover, it is like getting into the black hole â€” nothing in respond, just a timeout. Firewall doesn't contain anything special regarding 192.168.1.8 host and connect to .5 host works. Any clue what to look for and were?


----------



## SirDice (Jan 21, 2013)

There may be a firewall on 192.168.1.8 that's blocking the traffic.


----------



## Ajax (Jan 21, 2013)

Sure but it is not, I can VNC/ping/whatever-else with 192.168.1.8 from internal network. Moreover, packets aren't even passing to this host.

Here is firewall content on a router. Still can't understand why would 192.168.1.5 work and 192.168.1.8 doesn't.

```
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 check-state
00500 deny ip from 192.168.1.0/24 to any in via TUNNEL_IF
00600 deny ip from EXTERNAL_IP to any in via INNET_IF
00700 deny log ip from any to 10.0.0.0/8 via TUNNEL_IF
00800 deny log ip from any to 172.16.0.0/12 via TUNNEL_IF
00900 deny ip from any to 0.0.0.0/8 via TUNNEL_IF
01000 deny log ip from any to 169.254.0.0/16 via TUNNEL_IF
01100 deny ip from any to 192.0.2.0/24 via TUNNEL_IF
01200 deny log ip from any to 224.0.0.0/4 via TUNNEL_IF
01300 deny ip from any to 240.0.0.0/4 via TUNNEL_IF
01400 allow ip from any to 192.168.1.25 dst-port 18010 in via TUNNEL_IF
01500 allow ip from any to 192.168.1.7 dst-port 19010 in via TUNNEL_IF
01600 allow ip from table(2) to 192.168.1.0/24 via TUNNEL_IF keep-state
01700 allow ip from table(2) to me via TUNNEL_IF keep-state
01800 allow ip from table(2) to table(1) dst-port 3283,5900 in via TUNNEL_IF keep-state
01900 deny log ip from 10.0.0.0/8 to any via TUNNEL_IF
02000 deny log ip from 172.16.0.0/12 to any via TUNNEL_IF
02100 allow ip from table(1) to any via TUNNEL_IF keep-state
02200 deny ip from 0.0.0.0/8 to any via TUNNEL_IF
02300 deny ip from 169.254.0.0/16 to any via TUNNEL_IF
02400 deny ip from 192.0.2.0/24 to any via TUNNEL_IF
02500 deny ip from 224.0.0.0/4 to any via TUNNEL_IF
02600 deny ip from 240.0.0.0/4 to any via TUNNEL_IF
02700 allow ip from any to any via INNET_IF
02800 allow tcp from any to any established
02900 allow log logamount 15 ip from any to any frag
03000 allow { udp or tcp } from me to table(3) dst-port 53
03100 allow { udp or tcp } from table(3) 53 to me
03200 deny { udp or tcp } from me to any dst-port 53
03300 allow udp from 192.168.1.0/24 to any dst-port 123
03400 allow udp from any 123 to 192.168.1.0/24
03500 allow udp from me to any dst-port 123
03600 allow udp from any 123 to me
03700 allow log logamount 50 ip from EXTERNAL_IP to any out via TUNNEL_IF
03800 deny tcp from any to any in via TUNNEL_IF setup
03900 allow tcp from any to any setup
04000 deny icmp from any to any frag
04100 allow icmp from any to any
04200 deny log logamount 50 ip from any to any
65535 deny ip from any to any
```


----------

