Scan hosts behind NAT

I’ve got one quick question. I did some googling/searching here but didn’t really find proper answer. Question is, Can I somehow scan hosts that are behind NAT/router host?

I have

  • proxy/router host with public IP
  • target host with private IP that is accesible only from proxy/router host

I tried to set up ssh proxy in ~/.ssh/config to make openvas go through that proxy host but it throws SSH Authorization check: It was not possible to login using the provided SSH credentials even though I have them correct since I can manually ssh to that target host.

I know that I can set up omp slave host but I would need like 40 of those and it’s kind of resource heavy so looking for easier solution to this (ideally on openvas level)?

Sorry if it’s in wrong section. I’m talking about Openvas 9, please move thread if I messed up.

Hi sduszynski,

just simple questions:

  1. Have you configured a port forwarding on the router to reach port 22 (SSH) on the private IP host?
  2. Which linux users are allowed to connect on the private ip host via SSH?



  1. I did not configure port forwarding, because I have more than 1 machine behind this router. Should’ve mention that, sorry.
  2. In this example, all of them that have account on both router and priv machine and know priv IP. I’m using router only as jump host using ProxyCommand. Example setup

User openvas
ProxyCommand ssh openvas@ nc %h %p

Manually using $ ssh openvas@<privip> works and I am able to connect to this machine. (But this could be problem if I would have 2 same subnets. Eg host1 with and host2 with (behind 2 different public IPs)

Use a OpenVPN or IPSec Tunnel to tunnel/VPN into the “private space”, as soon you are directly connected with your private space you can scan what you want, secure and encrypted :slight_smile:

Is there really no easier way to do this than setup 30 tunnels? I did set up ssh jump host and can manually ssh into this “private” machine (as I said) but openvas doesn’t want to use this and throws authorization check :frowning:

Easy would be to the state of the art networking technology like IPv6 and not legacy technology with NAT :wink:

If you have so many zones, deployment of Scan-Sensors would help you as well. You place into every zone a sensor that connects to your master. This would need a lot of scripting and work to get this setup.