Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

RSH ALG

 

The Remote Shell (RSH) provides a conduit to execute commands on a remote host. Unlike Telnet or SSH, which create a terminal shell session on the remote system, RSH passes the command and authentication data. The protocol uses the 514 TCP port to pass the authentication data and the command. The server returns the stdout of the command to the client's source port. RSH requires an ALG to pass a second client port to the server for transmission of the stderr stream.

Understanding the RSH ALG

The Remote Shell (RSH) Application Layer Gateway (ALG) processes RSH packets that initiate requests and open two gates to allow return packets from the reverse direction to the client. One gate is used for an identification (ident) session to apply authorization and the other gate is used for a standard error (stderr) session to transfer an error message.

Note

The RSH ALG does not work if Port Address Translation (PAT) is configured. The RSH requires the port range to be between 512 to 1024. The source NAT module cannot match this port range.

Example: Configuring the RSH ALG

This example shows how to configure the RSH ALG in route or NAT mode. The configuration allows RSH traffic to pass through a device, and it transfers remote commands and results between a client and a server located on opposite sides of a Juniper Networks device.

Requirements

This example uses the following hardware and software components:

  • An SRX Series device

  • Two PCs (server and client)

Before you begin:

Overview

In this example, first you configure network interfaces on the device. Create security zones and assign interfaces to the zones, and configure a policy to allow RSH traffic to go through an SRX Series device.

Then you create a static NAT rule set rs1 with a rule r1 to match with the destination address 40.0.172.10/32, and you create a static NAT prefix with address 40.0.172.45/32.

Next you create a source NAT pool src-p1 with a source rule set src-rs1 to translate packets from interface fe-3/0/0.0 to interface fe-3/0/1.0. For matching packets, the source address is translated to an IP address in the src-p1 pool.

Then you create a destination NAT pool des-p1 with a destination rule set des-rs1 to translate packets from zone trust to destination address 40.0.172.10/32. For matching packets, the destination address is translated to an IP address in the des-p1 pool. Finally, you enable RSH ALG trace options.

Topology

Figure 1 shows the RSH ALG topology.

Figure 1: RSH ALG Topology
 RSH ALG Topology

Configuration

To configure the RSH ALG, perform these tasks:

Configuring a Route Mode

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure route mode:

  1. Configure interfaces.
  2. Configure zones and assign interfaces to the zones.
  3. Configure an RSH policy that allows RSH traffic from the trust zone to the untrust zone.

Results

From configuration mode, confirm your configuration by entering the show interfaces, show security zones, and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example for correction.

For brevity, this show output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

If you are done configuring the device, enter commit from configuration mode.

Configuring a Static NAT Rule Set

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a static NAT rule set:

  1. Create a static NAT rule set.
  2. Define the rule to match with the destination address.
  3. Define the static NAT prefix for the device.

Results

From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring a Source NAT Pool and Rule Set without PAT

CLI Quick Configuration

Note

The RSH ALG does not support PAT configuration. The RSH ALG requires the stderr port range to be between 512 to 1024. The source NAT module cannot match this port range.

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a source NAT pool and rule set:

  1. Create a source NAT pool.
  2. Create a source NAT pool with no port translation.
  3. Create a source NAT rule set.
  4. Configure a rule that matches packets and translates the source address to an address in the source pool.
  5. Configure a rule that matches packets and translates the destination address to an address in the source pool.
  6. Configure a source NAT pool in the rule.

Results

From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring a Destination NAT Pool and Rule Set

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a destination NAT pool and rule set:

  1. Create a destination NAT pool.
  2. Create a destination NAT rule set.
  3. Configure a rule that matches packets and translates the source address to the address in the pool.
  4. Configure a rule that matches packets and translates the destination address to the address in the pool.
  5. Configure a source NAT pool in the rule.

Results

From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Enabling RSH ALG Trace Options

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To enable RSH ALG trace options:

  1. Enable RSH ALG trace options.
  2. Configure a filename to receive output from the tracing operation.
  3. Specify the maximum trace file size.
  4. Specify the level of tracing output.

Results

From configuration mode, confirm your configuration by entering the show security alg command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the RSH ALG Control Session

Purpose

Verify that the RSH command is executed and all the RSH control and data sessions are created.

Action

From operational mode, enter the show security flow session command.

user@host>show security flow session

Meaning

  • Session ID—Number that identifies the session. Use this ID to get more information about the session such as policy name, number of packets in and out.

  • Policy name—Policy name that permitted the traffic.

  • In—Incoming flow (source and destination IP addresses with their respective source and destination port numbers, session is TCP, and source interface for this session is fe-3/0/0.0).

  • Out—Reverse flow (source and destination IP addresses with their respective source and destination port numbers, session is TCP, and destination interface for this session is fe-3/0/1.0).

Verifying the RSH ALG

Purpose

Verify that the RSH ALG is enabled.

Action

From operational mode, enter the show security alg status command.

user@host>show security alg status
Note

The RSH ALG is disabled by default. To enable the RSH ALG, enter the set security alg rsh command in the configuration mode.

Meaning

The output shows the RSH ALG status as follows:

  • Enabled—Shows the RSH ALG is enabled.

  • Disabled—Shows the RSH ALG is disabled.

Verifying the RSH ALG Resource Manager Group

Purpose

Verify the total number of resource manager groups and active groups that are used by the RSH ALG.

Action

From operational mode, enter the show security resource-manager group active command.

user@host>show security resource-manager group active

Verifying the RSH ALG Resource Information

Purpose

Verify the total number of resources and active resources that are used by the RSH ALG.

Action

From operational mode, enter the show security resource-manager resource active command.

user@host>show security resource-manager resource active