I've only included a small portion of the complete text. You stated that SSH's reverse port forwarding feature didn't assist you, perhaps you should try a more commonly accessable port, say 443?
(c) Copyright 2001-2002 the Muppet
ssh -R 2323:some-sys.bigacme.com:23 casa
With only a limited amount of effort it is possible to convert the remote tunnel example into a fully functional system for connecting to a system on the inside of the network using ssh. In order to implement this solution, you need:
User access (root access not necessary!) to a system on the inside of the network that can act as a gateway into the network.
A computer system in the Internet that runs the SSH daemon on a port that is allowed by the corporate firewall that we want to penetrate (e.g. port 443). A cable modem or ADSL connected Linux system will do just fine.
Some smart shell scripts
On the internal system, you install SSH, ProxyTunnel and a small shell script (tunnel) that is run regularly (say every 5 minutes) through the Unix cron scheduler. This script uses scp to retrieve a small instruction file from the external system in the Internet (in this example, this file is called tr (for tunnelrequest). The tr file contains a flag that indicates whether a tunnel into the protected network is requested or not.
After retrieving the tunnel request file the script does the following:
If a tunnel is requested, and there is currently a reverse tunnel in operation, the script does nothing.
If a tunnel is requested, and there is currently no tunnel operating, the script uses an SSH command (like the one in the previous example) to set up a reverse tunnel. Access into the protected network is now possible!
If no tunnel is requested, but there is one running, the running tunnel is terminated.
If no tunnel is requested, and none is running, the script does nothing.
For good measure, the script's action is summarised in a one-line status message that is put back (again using scp) to the external system in the Internet.
Meanwhile, on the external system we install a small script (maketun) that opens up a tunnel into the protected network through the following procedure:
First it checks whether a tunnel already exists. If that is the case, it connects to the existing tunnel.
If no tunnel exists, it writes out a tr file that requests a tunnel and starts waiting...
While this script waits, the (time scheduled) tunnel script on the internal system retrieves the tr file and creates the tunnel.
The script on the local system regularly checks whether the tunnel has been created already. When it is, it emits three beeps and connects to the tunnel. The user now has access to the internal system!