topic Re: ASA 5505 NAT Issue in Network Security

ASA 5505 NAT Issue

nescody — Wed, 25 Dec 2019 19:41:58 GMT

Hello,

I am trying to allow ssh to my internal sever.

I basically used the same configuration which was configured for port 80 or 443 on ASA.

object network linux
host 192.168.1.123
object service sshlinux
service tcp source eq ssh

access-list outside-in extended permit tcp any host 192.168.1.123 eq ssh

nat (inside,outside) source static linux interface service sshlinux sshlinux

access-group Outside-in in interface outside

Please suggest where the issue:

Thanks in advance

Re: ASA 5505 NAT Issue

Sheraz.Salim — Wed, 25 Dec 2019 21:58:10 GMT

your configuraton look good.

run a packet tracer

packet-tracer input outside tcp 8.8.8.8 12345 (firewall outside ip address) ssh

Re: ASA 5505 NAT Issue

nescody — Mon, 30 Dec 2019 14:44:43 GMT

Thanks @Sheraz.Salim, But I don't have PT installed. SSH Port is still closed for my Public IP address.

Re: ASA 5505 NAT Issue

Sheraz.Salim — Mon, 30 Dec 2019 20:11:43 GMT

I am not talking about Packet Tracer software for cisco student network learning. I am talking Packet Tracer utility in ASA software code.

here is a link

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/p1.html

Re: ASA 5505 NAT Issue

nescody — Fri, 03 Jan 2020 13:59:34 GMT

Thanks for providing the link. I am very new for Cisco devices.

Here is the output:

packet-tracer input outside tcp 8.8.8.8 12345 XXX.XXX.XXX.XXX ssh

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static linux interface service sshlinux sshlinux
Additional Information:
NAT divert to egress interface inside
Untranslate XXX.XXX.XXX.XXX/22 to 192.168.1.123/22

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

packets are dropping becuase of acl,

here is my acl:

access-list outside-in extended permit tcp any host 192.168.1.123 eq ssh

Re: ASA 5505 NAT Issue

Sheraz.Salim — Tue, 31 Dec 2019 19:53:00 GMT

could you share your firewall configuration?

Re: ASA 5505 NAT Issue

Elliot Dierksen — Thu, 02 Jan 2020 19:54:06 GMT

I think your problem is that you can't use port 22 on the outside unless you reassign the port that the ASA itself uses for SSH. You can do SSH on the outside on a different port, but translate it to 22 on the inside. That would look like this using port 922 on the outside. object network insidehost-ssh host 10.10.10.8 object network insidehost-ssh nat (inside,outside) static interface service tcp ssh 922 access-list internet-in extended permit tcp any object insidehost-ssh eq ssh access-group internet-in in interface outside

Re: ASA 5505 NAT Issue

nescody — Fri, 03 Jan 2020 14:06:30 GMT

Thanks @Elliot Dierksen

Just trying to understand, as per packet tracer, packets were dropped becuase of acl configuration. And another thing, I am not able to ssh into router which tells me router is not configured to login via ssh. So ssh port was not configured so why it wasn't allowing me to use port 22. Thanks in advance.

It is working now with assigning diferent port on outside and translate to ssh inside.

Re: ASA 5505 NAT Issue

Elliot Dierksen — Fri, 03 Jan 2020 14:14:22 GMT

As it pertains to SSH, I think that port is allocated whether it is configured or not. That is not true for HTTP and HTTPS as I have been able to pass those ports through. If you look in the logs, I doubt you will see an ACL deny. SSH going to the ASA itself would be permitted or denied by the "ssh" directives (if any) in the config.