https://community.cisco.com/t5/network-security/nat-9-4-1/m-p/3000848#M150215 <P>That way it has not worked:</P> <P></P> <PRE class="prettyprint prettyprinted"><SPAN class="kwd">object</SPAN><SPAN class="pln"> network SERVER</SPAN><BR /><SPAN class="pln"> host </SPAN><SPAN class="lit">192.168</SPAN><SPAN class="pun">.</SPAN><SPAN class="lit">3.10</SPAN><BR /><SPAN class="pln"> nat </SPAN><SPAN class="pun">(</SPAN><SPAN class="pln">inside</SPAN><SPAN class="pun">,</SPAN><SPAN class="pln">outside</SPAN><SPAN class="pun">)</SPAN><SPAN class="pln"> </SPAN><SPAN class="kwd">static</SPAN><SPAN class="pln"> </SPAN><SPAN class="lit">172.16</SPAN><SPAN class="pun">.</SPAN><SPAN class="lit">255.254</SPAN><SPAN class="pln"> service tcp </SPAN><SPAN class="lit">22</SPAN><SPAN class="pln"> </SPAN><SPAN class="lit">22</SPAN><BR /><SPAN class="pun">!</SPAN><BR /><SPAN class="pln">access</SPAN><SPAN class="pun">-</SPAN><SPAN class="pln">list OUTSIDE</SPAN><SPAN class="pun">-</SPAN><SPAN class="pln">IN permit tcp host </SPAN><SPAN class="lit">200.x</SPAN><SPAN class="pun">.</SPAN><SPAN class="pln">x</SPAN><SPAN class="pun">.</SPAN><SPAN class="pln">x </SPAN><SPAN class="kwd">object</SPAN><SPAN class="pln"> SERVER eq </SPAN><SPAN class="lit">22</SPAN></PRE> <P></P> <P></P> <P>So it has worked!!!</P> <P></P> <PRE class="prettyprint prettyprinted"><SPAN class="kwd">object</SPAN><SPAN class="pln"> network SERVER</SPAN><BR /><SPAN class="pln"> host </SPAN><SPAN class="lit">192.168</SPAN><SPAN class="pun">.</SPAN><SPAN class="lit">3.10</SPAN><BR /><SPAN class="pln"> nat </SPAN><SPAN class="pun">(</SPAN><SPAN class="pln">inside</SPAN><SPAN class="pun">,</SPAN><SPAN class="pln">outside</SPAN><SPAN class="pun">)</SPAN><SPAN class="pln"> </SPAN><SPAN class="kwd">static</SPAN><SPAN class="pln"> </SPAN><SPAN class="lit">200.x.x.x</SPAN><SPAN class="pun"></SPAN><SPAN class="lit"></SPAN><SPAN class="pln"> service tcp </SPAN><SPAN class="lit">22</SPAN><SPAN class="pln"> </SPAN><SPAN class="lit">22</SPAN><BR /><SPAN class="pun">!</SPAN><BR /><SPAN class="pln">access</SPAN><SPAN class="pun">-</SPAN><SPAN class="pln">list OUTSIDE</SPAN><SPAN class="pun">-</SPAN><SPAN class="pln">IN permit tcp host </SPAN><SPAN class="lit">200.x</SPAN><SPAN class="pun">.</SPAN><SPAN class="pln">x</SPAN><SPAN class="pun">.</SPAN><SPAN class="pln">x </SPAN><SPAN class="kwd">object</SPAN><SPAN class="pln"> SERVER eq </SPAN><SPAN class="lit">22</SPAN></PRE> Thu, 08 Sep 2016 04:00:14 GMT Rodrigo Fialho 2016-09-08T04:00:14Z https://community.cisco.com/t5/network-security/nat-9-4-1/m-p/3000844#M150211 <P>Hi,</P> <P></P> <P>I would like to know the best way to do a NAT into ssh port:</P> <P></P> <P><FONT color="black" face="Times New Roman" size="3"><SPAN style="font-size: 12pt;">200.X.X.X ----&gt; 172.16.255.254 ----&gt; 192.168.3.10<BR /></SPAN></FONT></P> <P><FONT color="black" face="Times New Roman" size="3"><SPAN style="font-size: 12pt;">OUTSIDE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp; DMZ&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; INSIDE</SPAN></FONT></P> <P><FONT color="black" face="Times New Roman" size="3"><SPAN style="font-size: 12pt;"></SPAN></FONT></P> <P><FONT color="black" face="Times New Roman" size="3"><SPAN style="font-size: 12pt;"></SPAN></FONT></P> <P><FONT color="black" face="Times New Roman" size="3"><SPAN style="font-size: 12pt;">object network 200.X.X.X<BR />&nbsp;host 200.X.X.X<BR /></SPAN></FONT></P> <P><FONT color="black" face="Times New Roman" size="3"><SPAN style="font-size: 12pt;">object network 172.16.255.254<BR />&nbsp;host 172.16.255.254<BR /></SPAN></FONT></P> <P><FONT color="black" face="Times New Roman" size="3"><SPAN style="font-size: 12pt;">object network 192.168.3.10<BR />&nbsp;host 192.168.3.10<BR /></SPAN></FONT></P> <P><FONT color="black" face="Times New Roman" size="3"><SPAN style="font-size: 12pt;">object service 22<BR />&nbsp;service tcp source eq ssh </SPAN></FONT></P> <P><FONT color="black" face="Times New Roman" size="3"><SPAN style="font-size: 12pt;">nat (any,any) source static 172.16.255.254 <FONT color="black" face="Times New Roman" size="3"><SPAN style="font-size: 12pt;">200.X.X.X</SPAN></FONT> destination static <FONT color="black" face="Times New Roman" size="3"><SPAN style="font-size: 12pt;">192.168.3.10</SPAN></FONT> <FONT color="black" face="Times New Roman" size="3"><SPAN style="font-size: 12pt;">192.168.3.10</SPAN></FONT> service 22 22</SPAN></FONT></P> <P><FONT color="black" face="Times New Roman" size="3"><SPAN style="font-size: 12pt;"></SPAN></FONT></P> <P><FONT color="black" face="Times New Roman" size="3"><SPAN style="font-size: 12pt;">Is this way correct? </SPAN></FONT></P> Tue, 12 Mar 2019 08:14:19 GMT https://community.cisco.com/t5/network-security/nat-9-4-1/m-p/3000844#M150211 Rodrigo Fialho 2019-03-12T08:14:19Z https://community.cisco.com/t5/network-security/nat-9-4-1/m-p/3000845#M150212 <P>At least, it's far too complex. This is how it can work:</P> <PRE class="prettyprint">object network SERVER<BR /> host 192.168.3.10<BR /> nat (inside,outside) static 172.16.255.254 service tcp 22 22<BR />!<BR />access-list OUTSIDE-IN permit tcp host 200.x.x.x object SERVER eq 22</PRE> <P></P> Mon, 05 Sep 2016 20:45:59 GMT https://community.cisco.com/t5/network-security/nat-9-4-1/m-p/3000845#M150212 Karsten Iwen 2016-09-05T20:45:59Z https://community.cisco.com/t5/network-security/nat-9-4-1/m-p/3000846#M150213 <P>Hi <SPAN class="fullname"><SPAN rel="sioc:has_creator"><A href="https://supportforums.cisco.com/users/karsteniwen" title="View user profile." class="username" lang="" about="/users/karsteniwen" typeof="sioc:UserAccount" property="foaf:name" datatype="">Karsten,</A></SPAN></SPAN></P> <P><SPAN class="fullname"><SPAN rel="sioc:has_creator"></SPAN></SPAN></P> <P><SPAN class="fullname"><SPAN rel="sioc:has_creator">Thank you for your answer.</SPAN></SPAN></P> <P><SPAN class="fullname"><SPAN rel="sioc:has_creator"></SPAN></SPAN></P> <P><SPAN class="fullname"><SPAN rel="sioc:has_creator">But does it work withou ACL, just NAT?</SPAN></SPAN></P> Mon, 05 Sep 2016 21:10:06 GMT https://community.cisco.com/t5/network-security/nat-9-4-1/m-p/3000846#M150213 Rodrigo Fialho 2016-09-05T21:10:06Z https://community.cisco.com/t5/network-security/nat-9-4-1/m-p/3000847#M150214 <P>Unless you haven't configured something really strange, you need a matching ACL-line because you are communicating from a lower to a higher security level. That is denied by default.</P> Mon, 05 Sep 2016 21:16:18 GMT https://community.cisco.com/t5/network-security/nat-9-4-1/m-p/3000847#M150214 Karsten Iwen 2016-09-05T21:16:18Z https://community.cisco.com/t5/network-security/nat-9-4-1/m-p/3000848#M150215 <P>That way it has not worked:</P> <P></P> <PRE class="prettyprint prettyprinted"><SPAN class="kwd">object</SPAN><SPAN class="pln"> network SERVER</SPAN><BR /><SPAN class="pln"> host </SPAN><SPAN class="lit">192.168</SPAN><SPAN class="pun">.</SPAN><SPAN class="lit">3.10</SPAN><BR /><SPAN class="pln"> nat </SPAN><SPAN class="pun">(</SPAN><SPAN class="pln">inside</SPAN><SPAN class="pun">,</SPAN><SPAN class="pln">outside</SPAN><SPAN class="pun">)</SPAN><SPAN class="pln"> </SPAN><SPAN class="kwd">static</SPAN><SPAN class="pln"> </SPAN><SPAN class="lit">172.16</SPAN><SPAN class="pun">.</SPAN><SPAN class="lit">255.254</SPAN><SPAN class="pln"> service tcp </SPAN><SPAN class="lit">22</SPAN><SPAN class="pln"> </SPAN><SPAN class="lit">22</SPAN><BR /><SPAN class="pun">!</SPAN><BR /><SPAN class="pln">access</SPAN><SPAN class="pun">-</SPAN><SPAN class="pln">list OUTSIDE</SPAN><SPAN class="pun">-</SPAN><SPAN class="pln">IN permit tcp host </SPAN><SPAN class="lit">200.x</SPAN><SPAN class="pun">.</SPAN><SPAN class="pln">x</SPAN><SPAN class="pun">.</SPAN><SPAN class="pln">x </SPAN><SPAN class="kwd">object</SPAN><SPAN class="pln"> SERVER eq </SPAN><SPAN class="lit">22</SPAN></PRE> <P></P> <P></P> <P>So it has worked!!!</P> <P></P> <PRE class="prettyprint prettyprinted"><SPAN class="kwd">object</SPAN><SPAN class="pln"> network SERVER</SPAN><BR /><SPAN class="pln"> host </SPAN><SPAN class="lit">192.168</SPAN><SPAN class="pun">.</SPAN><SPAN class="lit">3.10</SPAN><BR /><SPAN class="pln"> nat </SPAN><SPAN class="pun">(</SPAN><SPAN class="pln">inside</SPAN><SPAN class="pun">,</SPAN><SPAN class="pln">outside</SPAN><SPAN class="pun">)</SPAN><SPAN class="pln"> </SPAN><SPAN class="kwd">static</SPAN><SPAN class="pln"> </SPAN><SPAN class="lit">200.x.x.x</SPAN><SPAN class="pun"></SPAN><SPAN class="lit"></SPAN><SPAN class="pln"> service tcp </SPAN><SPAN class="lit">22</SPAN><SPAN class="pln"> </SPAN><SPAN class="lit">22</SPAN><BR /><SPAN class="pun">!</SPAN><BR /><SPAN class="pln">access</SPAN><SPAN class="pun">-</SPAN><SPAN class="pln">list OUTSIDE</SPAN><SPAN class="pun">-</SPAN><SPAN class="pln">IN permit tcp host </SPAN><SPAN class="lit">200.x</SPAN><SPAN class="pun">.</SPAN><SPAN class="pln">x</SPAN><SPAN class="pun">.</SPAN><SPAN class="pln">x </SPAN><SPAN class="kwd">object</SPAN><SPAN class="pln"> SERVER eq </SPAN><SPAN class="lit">22</SPAN></PRE> Thu, 08 Sep 2016 04:00:14 GMT https://community.cisco.com/t5/network-security/nat-9-4-1/m-p/3000848#M150215 Rodrigo Fialho 2016-09-08T04:00:14Z