https://community.cisco.com/t5/network-security/port-forwarding-not-working-despite-correct-configuration/m-p/804811#M1006268 <HTML><HEAD></HEAD><BODY><P>If x.x.x.x is outside interface address on ASA then you need to do this...</P><P></P><P>static (inside,outside) tcp interface 22 192.168.18.51 22 netmask 255.255.255.255</P><P>access-list outside_in permit tcp any interface eq 22 </P><P>access-group outside_ in in interface outside </P></BODY></HTML> Wed, 25 Apr 2007 17:55:10 GMT acomiskey 2007-04-25T17:55:10Z https://community.cisco.com/t5/network-security/port-forwarding-not-working-despite-correct-configuration/m-p/804810#M1006267 <P>Our ASA-5505 has a single outside IP, and dynamic NAT for the LAN is working fine. I set up a static NAT rule for the outside IP to our internal SSH server and created an ACL that allows external connections to connect to the SSH port on the external IP so that the SSH port on the ASA-5505 is forwarded to the internal server. However, when I try to SSH from an external host, the connection times out, and the ASA logs that the connection is denied due to an ACL. To create this configuration I followed the Getting Started Guide and found several relevant guides both on Cisco.com and around the Internet, but the port forwarding isn't working and I'm pulling my hair out as to why the ACL which I already explicitly created isn't working. Here's the relevant config lines; if you need more information please reply.</P><P></P><P>access-list outside_access_in extended permit tcp any host X.X.X.X eq ssh log</P><P>static (inside,outside) X.X.X.X 192.168.18.51 netmask 255.255.255.255</P><P>access-group outside_access_in in interface outside</P><P></P><P>I sanitized the external IP to X.X.X.X for privacy.</P> Mon, 11 Mar 2019 10:04:05 GMT https://community.cisco.com/t5/network-security/port-forwarding-not-working-despite-correct-configuration/m-p/804810#M1006267 wkurdziolek 2019-03-11T10:04:05Z https://community.cisco.com/t5/network-security/port-forwarding-not-working-despite-correct-configuration/m-p/804811#M1006268 <HTML><HEAD></HEAD><BODY><P>If x.x.x.x is outside interface address on ASA then you need to do this...</P><P></P><P>static (inside,outside) tcp interface 22 192.168.18.51 22 netmask 255.255.255.255</P><P>access-list outside_in permit tcp any interface eq 22 </P><P>access-group outside_ in in interface outside </P></BODY></HTML> Wed, 25 Apr 2007 17:55:10 GMT https://community.cisco.com/t5/network-security/port-forwarding-not-working-despite-correct-configuration/m-p/804811#M1006268 acomiskey 2007-04-25T17:55:10Z https://community.cisco.com/t5/network-security/port-forwarding-not-working-despite-correct-configuration/m-p/804812#M1006269 <HTML><HEAD></HEAD><BODY><P>static (inside,outside) tcp X.X.X.X ssh 192.168.18.51 ssh netmask 255.255.255.255</P><P></P><P>Didn't change the ACL, and I still get:</P><P></P><P>TCP access denied by ACL from <EXTERNAL ip=""> to outside:X.X.X.X/22</EXTERNAL></P><P></P><P>In the logs.</P></BODY></HTML> Wed, 25 Apr 2007 18:28:36 GMT https://community.cisco.com/t5/network-security/port-forwarding-not-working-despite-correct-configuration/m-p/804812#M1006269 wkurdziolek 2007-04-25T18:28:36Z https://community.cisco.com/t5/network-security/port-forwarding-not-working-despite-correct-configuration/m-p/804813#M1006270 <HTML><HEAD></HEAD><BODY><P>If x.x.x.x is outside interface then you actually need to use the word "interface" in the static and acl, not x.x.x.x.</P></BODY></HTML> Wed, 25 Apr 2007 18:33:02 GMT https://community.cisco.com/t5/network-security/port-forwarding-not-working-despite-correct-configuration/m-p/804813#M1006270 acomiskey 2007-04-25T18:33:02Z https://community.cisco.com/t5/network-security/port-forwarding-not-working-despite-correct-configuration/m-p/804814#M1006271 <HTML><HEAD></HEAD><BODY><P>Ah, excellent. Now everything is working. Thanks a ton!</P></BODY></HTML> Wed, 25 Apr 2007 18:36:54 GMT https://community.cisco.com/t5/network-security/port-forwarding-not-working-despite-correct-configuration/m-p/804814#M1006271 wkurdziolek 2007-04-25T18:36:54Z