https://community.cisco.com/t5/network-security/asa-9-9-port-forward-problem/m-p/3384042#M957884 <P>Couple things before we dive into your issue:</P> <P>&nbsp;1. Update your original post and hide the public IP you're using for the&nbsp;<SPAN>object network SSH-pi-ext-ip</SPAN></P> <P>&nbsp;2. With ASA using port 22 on the outside interface it might happen that you cannot use it for a port-forward as you need. I am not 100% it's not possible, some tricks might help but I would just use any other external port like 2222 and map it to my internal server on port 22.</P> <P>Here's PF config as I see it:</P> <P>&nbsp;</P> <P><EM>object network SSH-pi-ext-ip</EM></P> <P><EM>&nbsp;host x.x.x.220</EM></P> <P><EM>object network SSH-pi</EM></P> <P><EM>&nbsp;host 10.10.50.65</EM></P> <P><EM>object-group service ssh_2222 tcp</EM></P> <P><EM>&nbsp;port-object eq 2222</EM></P> <P><EM>object-group service&nbsp;ssh_22 tcp</EM></P> <P><EM>&nbsp;port-object eq 22</EM></P> <P>&nbsp;</P> <P><EM>nat (outside,inside) after-auto source static any any destination static SSH-pi-ext-ip object network SSH-p service ssh_2222 ssh_22 unidirectional</EM></P> Wed, 16 May 2018 09:25:19 GMT Florin Barhala 2018-05-16T09:25:19Z https://community.cisco.com/t5/network-security/asa-9-9-port-forward-problem/m-p/3383998#M957883 <P><SPAN>I cannot get this to work.</SPAN></P> <P>&nbsp;</P> <P><SPAN>What I want to do.</SPAN></P> <P><SPAN>Host on Internet (any) --&gt;</SPAN><SPAN>&nbsp;FW (xx.xx.24.220:22) --&gt;</SPAN><SPAN>&nbsp;SSH-pi (10.10.50.65:22)</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P>Host on&nbsp;internet connects with&nbsp;ssh to&nbsp;FW port tcp/22 and&nbsp;&nbsp;will then be forwarded to SSH-pi on port tcp/22.</P> <P>&nbsp;</P> <P><SPAN>interface GigabitEthernet1/1</SPAN></P> <P><SPAN>&nbsp;</SPAN><SPAN>nameif outside</SPAN></P> <P><SPAN>&nbsp;</SPAN><SPAN>security-level 0</SPAN></P> <P><SPAN>&nbsp;</SPAN><SPAN>ip address dhcp setroute &nbsp; &nbsp; &nbsp;&nbsp;(DHCP ip = xx.xx.24.220)</SPAN></P> <P><SPAN>interface GigabitEthernet1/8.5</SPAN></P> <P><SPAN>&nbsp;</SPAN><SPAN>vlan 5</SPAN></P> <P><SPAN>&nbsp;</SPAN><SPAN>nameif FW-VL5</SPAN></P> <P><SPAN>&nbsp;</SPAN><SPAN>security-level 100</SPAN></P> <P><SPAN>&nbsp;</SPAN><SPAN>ip address 10.10.50.1 255.255.255.0</SPAN></P> <P><SPAN>object network SSH-pi-ext-ip</SPAN></P> <P><SPAN>&nbsp;</SPAN><SPAN>host 77.53.24.220</SPAN></P> <P><SPAN>object network SSH-pi</SPAN></P> <P><SPAN>&nbsp;</SPAN><SPAN>host 10.10.50.65</SPAN></P> <P><SPAN>access-list outside_access_in extended permit tcp any object SSH-pi-ext-ip eq ssh log notifications</SPAN></P> <P><SPAN>object network obj_any</SPAN></P> <P><SPAN>&nbsp;</SPAN><SPAN>nat (any,outside) dynamic interface</SPAN></P> <P><SPAN>object network SSH-pi</SPAN></P> <P><SPAN>&nbsp;</SPAN><SPAN>nat (FW-VL5,outside) dynamic interface</SPAN></P> <P><SPAN>access-group outside_access_in in interface outside</SPAN></P> Fri, 21 Feb 2020 15:46:30 GMT https://community.cisco.com/t5/network-security/asa-9-9-port-forward-problem/m-p/3383998#M957883 pwanderoy 2020-02-21T15:46:30Z https://community.cisco.com/t5/network-security/asa-9-9-port-forward-problem/m-p/3384042#M957884 <P>Couple things before we dive into your issue:</P> <P>&nbsp;1. Update your original post and hide the public IP you're using for the&nbsp;<SPAN>object network SSH-pi-ext-ip</SPAN></P> <P>&nbsp;2. With ASA using port 22 on the outside interface it might happen that you cannot use it for a port-forward as you need. I am not 100% it's not possible, some tricks might help but I would just use any other external port like 2222 and map it to my internal server on port 22.</P> <P>Here's PF config as I see it:</P> <P>&nbsp;</P> <P><EM>object network SSH-pi-ext-ip</EM></P> <P><EM>&nbsp;host x.x.x.220</EM></P> <P><EM>object network SSH-pi</EM></P> <P><EM>&nbsp;host 10.10.50.65</EM></P> <P><EM>object-group service ssh_2222 tcp</EM></P> <P><EM>&nbsp;port-object eq 2222</EM></P> <P><EM>object-group service&nbsp;ssh_22 tcp</EM></P> <P><EM>&nbsp;port-object eq 22</EM></P> <P>&nbsp;</P> <P><EM>nat (outside,inside) after-auto source static any any destination static SSH-pi-ext-ip object network SSH-p service ssh_2222 ssh_22 unidirectional</EM></P> Wed, 16 May 2018 09:25:19 GMT https://community.cisco.com/t5/network-security/asa-9-9-port-forward-problem/m-p/3384042#M957884 Florin Barhala 2018-05-16T09:25:19Z https://community.cisco.com/t5/network-security/asa-9-9-port-forward-problem/m-p/3384043#M957885 <P>your NAT is wrong for port 22, you need to nat the outside ntercface on port 22 to inside pi 22, from outside to inside</P> Wed, 16 May 2018 09:25:57 GMT https://community.cisco.com/t5/network-security/asa-9-9-port-forward-problem/m-p/3384043#M957885 Dennis Mink 2018-05-16T09:25:57Z https://community.cisco.com/t5/network-security/asa-9-9-port-forward-problem/m-p/3384048#M957886 Out of curiosity, what happens with this DNAT on 22 if the user adds:<BR />ssh 0.0.0.0 0.0.0.0 outside Wed, 16 May 2018 09:34:36 GMT https://community.cisco.com/t5/network-security/asa-9-9-port-forward-problem/m-p/3384048#M957886 Florin Barhala 2018-05-16T09:34:36Z