https://community.cisco.com/t5/network-security/static-nat-when-you-have-only-one-outside-addr-question/m-p/2229596#M347481 <HTML><HEAD></HEAD><BODY><P>Mashal</P><P>Thanks for the response. I was not sure about the acl so thanks for clearing that up.</P><P>And I understand what you are saying about the ssh.</P><P>Is there another way of doing the ssh access?</P></BODY></HTML> Wed, 26 Jun 2013 18:24:01 GMT john.wright 2013-06-26T18:24:01Z https://community.cisco.com/t5/network-security/static-nat-when-you-have-only-one-outside-addr-question/m-p/2229594#M347451 <P>We have a remote site that has a 5505 ios 8.3.1.</P><P>We have a /30 outside addr range so we only have 2 outside addr available; the addr of the outside interface + the gateway.</P><P>We need to allow a vendor to access an inside addr.</P><P></P><P>Will the following config work in order to allow access?</P><P></P><P>(config)# object network voice_gateway</P><P>(config-network-object)# host 10.10.10.10</P><P>(config-network-object)# nat (inside,outside) static 109.109.109.109 service tcp ssh ssh</P><P></P><P>109.109.109.109 is the addr of the outside interface</P><P></P><P>object-group network vendor</P><P> network-object 8.9.9.9 255.255.255.224</P><P></P><P>access-list acl_outside extended permit tcp object-group vendor 109.109.109.109 255.255.255.252 eq ssh</P> Tue, 12 Mar 2019 02:03:28 GMT https://community.cisco.com/t5/network-security/static-nat-when-you-have-only-one-outside-addr-question/m-p/2229594#M347451 john.wright 2019-03-12T02:03:28Z https://community.cisco.com/t5/network-security/static-nat-when-you-have-only-one-outside-addr-question/m-p/2229595#M347465 <HTML><HEAD></HEAD><BODY><P>Hi John,</P><P></P><P>You only need to fix the access-list so that it points to the private IP instead of the public IP, because your version is 8.3. This config will work for enabling inbound SSH access to your internal server, however, you should pay attention that if the natted public IP is the same as your outside interface IP, then SSH access to the ASA from the outside will not be possible, because all traffic hitting outside IP at port 22 will be redirected to the inside.</P><P></P><P>Hope this helps</P><P></P><P>---------<BR />Mashal Alshboul</P></BODY></HTML> Wed, 26 Jun 2013 17:36:30 GMT https://community.cisco.com/t5/network-security/static-nat-when-you-have-only-one-outside-addr-question/m-p/2229595#M347465 malshbou 2013-06-26T17:36:30Z https://community.cisco.com/t5/network-security/static-nat-when-you-have-only-one-outside-addr-question/m-p/2229596#M347481 <HTML><HEAD></HEAD><BODY><P>Mashal</P><P>Thanks for the response. I was not sure about the acl so thanks for clearing that up.</P><P>And I understand what you are saying about the ssh.</P><P>Is there another way of doing the ssh access?</P></BODY></HTML> Wed, 26 Jun 2013 18:24:01 GMT https://community.cisco.com/t5/network-security/static-nat-when-you-have-only-one-outside-addr-question/m-p/2229596#M347481 john.wright 2013-06-26T18:24:01Z https://community.cisco.com/t5/network-security/static-nat-when-you-have-only-one-outside-addr-question/m-p/2229597#M347492 <HTML><HEAD></HEAD><BODY><P>Hi John,</P><P></P><P>You cannot change the default SSH port in ASA. Instead, I suggest that you change the natted port to be any port other than 22 so that you get SSH access to both&nbsp; ASA and internal server. </P><P></P><P>for example:</P><P></P><P>(config-network-object)# nat (inside,outside) static 109.109.109.109 service tcp ssh 222</P><P></P><P></P><P>Hope this answers your questions.</P><P></P><P>---------<BR />Mashal Alshboul</P></BODY></HTML> Wed, 26 Jun 2013 18:38:38 GMT https://community.cisco.com/t5/network-security/static-nat-when-you-have-only-one-outside-addr-question/m-p/2229597#M347492 malshbou 2013-06-26T18:38:38Z https://community.cisco.com/t5/network-security/static-nat-when-you-have-only-one-outside-addr-question/m-p/2229598#M347503 <HTML><HEAD></HEAD><BODY><P>Mashal</P><P>here is what I got when I tried to set this up.</P><P></P><P>ERROR: Address 109.109.109.109 overlaps with outside interface address.</P><P>ERROR: NAT Policy is not downloaded</P></BODY></HTML> Thu, 27 Jun 2013 14:43:58 GMT https://community.cisco.com/t5/network-security/static-nat-when-you-have-only-one-outside-addr-question/m-p/2229598#M347503 john.wright 2013-06-27T14:43:58Z https://community.cisco.com/t5/network-security/static-nat-when-you-have-only-one-outside-addr-question/m-p/2229599#M347516 <HTML><HEAD></HEAD><BODY><P>John</P><P></P><P>Use the keyword "interface"&nbsp; instead of the IP.</P><P></P><P></P><P>---<BR />Mashal Alshboul</P></BODY></HTML> Thu, 27 Jun 2013 21:39:57 GMT https://community.cisco.com/t5/network-security/static-nat-when-you-have-only-one-outside-addr-question/m-p/2229599#M347516 malshbou 2013-06-27T21:39:57Z https://community.cisco.com/t5/network-security/static-nat-when-you-have-only-one-outside-addr-question/m-p/2229600#M347523 <HTML><HEAD></HEAD><BODY><P>Mashal</P><P>Thanks, that worked!</P></BODY></HTML> Fri, 28 Jun 2013 14:41:52 GMT https://community.cisco.com/t5/network-security/static-nat-when-you-have-only-one-outside-addr-question/m-p/2229600#M347523 john.wright 2013-06-28T14:41:52Z