Forwarding non-standard ssh port to standard ssh port internal

andylize — Tue, 12 Mar 2019 09:47:07 GMT

I am having a difficult time getting my nat transaltion to work with a port forward on my 5506w-x. I think I have my nat rules set up correctly, but my access-list does not seem to be correct. What I would like to be able to do is forward requests to outside address on port 22022 to inside host on port 22 for ssh. The following is what I have for my config:

: Saved

:
: Serial Number: JAD20300B1Q
: Hardware: ASA5506W, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(1)
!
hostname fwl
enable password JWAW.Vk/Rdj57hiA encrypted
names

!
interface GigabitEthernet1/1
description to WAN
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
description to LAN
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/9
nameif wifi
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup wifi
dns server-group DefaultDNS
name-server 208.67.220.220
name-server 216.146.35.35
name-server 156.154.70.1
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network ssh_server
host 192.168.0.110
object-group service ssh-non-standard tcp
port-object eq 22022
access-list outside_acl extended permit tcp any object ssh_server object-group ssh-non-standard
no pager
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu wifi 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (any,outside) dynamic interface
object network ssh_server
nat (inside,outside) static interface service tcp ssh 22022
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_acl in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 wifi
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button

console timeout 0

dhcpd dns 208.67.220.220
dhcpd auto_config outside
!
dhcpd address 192.168.0.150-192.168.0.254 inside
dhcpd enable inside
!
dhcpd address 192.168.10.2-192.168.10.254 wifi
dhcpd enable wifi
!
dynamic-access-policy-record DfltAccessPolicy
username admin password 0Z2UW3R7M94mIRj4 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:1868383b9efd460523a8dcb5bb769ab4
: end

In your acl you need to use

Jon Marshall — Mon, 07 Aug 2017 18:28:52 GMT

In your acl you need to use the real server IP and the real port number ie. the ones after translation so you are using the wrong port number.

Jon

Are you suggesting I change:

andylize — Mon, 07 Aug 2017 18:46:10 GMT

Are you suggesting I change:

access-list outside_acl extended permit tcp any object ssh_server object-group ssh-non-standard

access-list outside_acl extended permit tcp any host 192.168.0.110 22022

I was suggesting -

Jon Marshall — Mon, 07 Aug 2017 18:49:20 GMT

I was suggesting -

access-list outside_acl extended permit tcp any object-group ssh_server eq 22

Jon

That worked perfectly!

andylize — Mon, 07 Aug 2017 18:59:17 GMT

That worked perfectly! Thanks much.

No problem, glad to have

Jon Marshall — Mon, 07 Aug 2017 19:01:46 GMT

No problem, glad to have helped.

Jon

topic Are you suggesting I change: in Network Security

Forwarding non-standard ssh port to standard ssh port internal

In your acl you need to use

Are you suggesting I change:

I was suggesting -

That worked perfectly!

No problem, glad to have