topic Re: Port Forwarding in ASA for SSH service in Network Security

Port Forwarding in ASA for SSH service

hectormiranda — Wed, 10 Apr 2019 00:02:40 GMT

Hello,

My scenario is as follows:

- Internal LAN subnet: 192.168.20.0/24

- Cisco ASA5516-X external Public IP: 190.151.47.10

- inside interface name: inside

- outside interface name: WAN_INTERNET_If

There is a server in the internal LAN with IP address 192.168.20.36. There is an network object named Server-Arq defined in the ASA.

I need to access that server from the outside through SSH but using tcp port 22022 as "external" port, then mapping it to port 22 in the server's address.

So, if a user from the outside runs PuTTY pointing SSH to 190.151.47.10 port 22022, then that traffic goes to internal 192.168.20.36 port 22.

I wrote the following instructions in the ASA for the port forwarding:

object network Server-Arq
nat (inside,WAN_INTERNET_If) static interface service tcp ssh 22022

Then I added the following ACL:

access-list WAN_Internet_access_in extended permit tcp any object Server-Arq eq ssh

But the port tcp 22022 remains closed.

What is missing in my configuration?

Attached current ASA config file.

Thanks in advance,

Hector M.

Re: Port Forwarding in ASA for SSH service

johnd2310 — Wed, 10 Apr 2019 01:33:42 GMT

Hi,

You access-list should be for port 22022 and not ssh

"access-list WAN_Internet_access_in extended permit tcp any object Server-Arq eq 22022"

Thanks

John

Re: Port Forwarding in ASA for SSH service

Francesco Molino — Wed, 10 Apr 2019 01:38:21 GMT

Can you move your dynamic nat at the end like:

object network obj_any
 nat (any,WAN_INTERNET_If) after-auto dynamic interface

Also can you run the following command and paste the result please in a text file:

packet-tracer input WAN_INTERNET_if tcp 8.8.8.8 12345 190.151.47.10 22022 detail

Re: Port Forwarding in ASA for SSH service

hectormiranda — Wed, 10 Apr 2019 15:30:32 GMT

Hello Francesco,

I moved the dynamic nat rule after the specific objects ones.

The syntax is:

object network Server-Arq
nat (inside,WAN_INTERNET_If) static interface service tcp ssh 8022
!
nat (inside,WAN_INTERNET_If) after-auto source dynamic any interface

Regarding the PacketTracer, I have attached the output to this message. Last night, trying to do something different, I changed the 22022 port to tcp 8022, so the packet tracer command I ran was:

packet-tracer input WAN_INTERNET_if tcp 8.8.8.8 12345 190.151.47.10 8022 detail

Hector M.

Re: Port Forwarding in ASA for SSH service

hectormiranda — Wed, 10 Apr 2019 17:09:54 GMT

Than you John.

I tried it, but that's not the problem.

Hector M.

Re: Port Forwarding in ASA for SSH service

Francesco Molino — Thu, 11 Apr 2019 04:05:46 GMT

Did you removed this nat:

object network obj_any
nat (any,WAN_INTERNET_If) dynamic interface

You should have only your ssh nat first and then the dynamic at the end.
Do a clear xlate, test again and re-run the packet-tracer command please.

Re: Port Forwarding in ASA for SSH service

hectormiranda — Fri, 12 Apr 2019 15:49:36 GMT

Hello,

I did two different tests:

Used an access switch in the LAN to forward port 22 to port 8201. External access (SSH to public ip + port 8201) worked ok
Used an internal PC (Windows) and installed FreeSSH server. Mapped port 22 to 22134 and external SSH worked ok.

So, I asked the server's guy what was happenning with his machine. He changed the machine and the initial problem disappeared!

Anyway, I thank you guys for your great help.

Hector M.