cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2389
Views
10
Helpful
5
Replies

ASA 5506-X NAT issue SSH

david.brewerton
Level 1
Level 1

I feel like I'm on the cusp of figuring it out, but I've had issues and spent many, many hours hitting this with every form of documentation and help forum. I'm trying to do a NAT with an ACL from an external static IP to an internal one on a DMZ.

 

To try and be as clear and concise as I can: I have a static external IP. This is routed by my ISP to an intermediate IP, which is assigned to my ASA 5506-X. E.g. 8.8.8.8 (external) assigned to 1.2.3.4 (internal, assigned to my outside interface). I have a DMZ, where I'm trying to NAT port 22 from my external IP through to that sub network using PAT.

 

I've cleared some of the running config, and removed some sensitive information, but I hope this is enough to clarify my issue. Italicized is what I think is most relevant. I've included packet tracers for both 8.8.8.8 to my external IP, and 8.8.8.8 to the internal one (not the given one assigned to Outside but the actual SSH server). I'm still unable to SSH in, even though an 8.8.8.8 tcp on 22 is "allowed" to the DMZ from outside.

 

object network ssh
 host 192.168.10.10
access-list outside_DMZ extended permit tcp any object ssh eq ssh
access-list outside_SSH_DMZ extended permit tcp any host 192.168.10.10 eq ssh log

object network ssh
 nat (dmz,outside) static <external IP> service tcp ssh ssh
access-group outside_SSH_DMZ in interface outside

 

 

Running Config

 

: Saved

:
: Serial Number:
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(1)
!
hostname ciscoasa
enable password <hashed mess>
names
dns-guard

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address <intermediate internal IP> 255.255.255.0
!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1
 security-level 100
!
interface GigabitEthernet1/3
 nameif dmz
 security-level 50
 ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet1/4
 bridge-group 1
 nameif inside_3
 security-level 100
!
interface GigabitEthernet1/5
 bridge-group 1
 nameif inside_4
 security-level 100
!
interface GigabitEthernet1/6
 bridge-group 1
 nameif inside_5
 security-level 100
!
interface GigabitEthernet1/7
 bridge-group 1
 nameif inside_6
 security-level 100
!
interface GigabitEthernet1/8
 bridge-group 1
 nameif inside_7
 security-level 100
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
interface BVI1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside_1
dns domain-lookup inside_3
dns domain-lookup inside_4
dns domain-lookup inside_5
dns domain-lookup inside_6
dns domain-lookup inside_7
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 1.1.1.1 outside
 name-server 1.0.0.1 outside
same-security-traffic permit inter-interface
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
object network obj_any4
 subnet 0.0.0.0 0.0.0.0
object network obj_any5
 subnet 0.0.0.0 0.0.0.0
object network obj_any6
 subnet 0.0.0.0 0.0.0.0
object network obj_any7
 subnet 0.0.0.0 0.0.0.0
object network DMZ
object network ssh
 host 192.168.10.10
access-list outside_DMZ extended permit tcp any object ssh eq ssh
access-list outside_SSH_DMZ extended permit tcp any host 192.168.10.10 eq ssh log
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu dmz 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
 nat (inside_1,outside) dynamic interface
object network obj_any3
 nat (inside_3,outside) dynamic interface
object network obj_any4
 nat (inside_4,outside) dynamic interface
object network obj_any5
 nat (inside_5,outside) dynamic interface
object network obj_any6
 nat (inside_6,outside) dynamic interface
object network obj_any7
 nat (inside_7,outside) dynamic interface
object network ssh
 nat (dmz,outside) static <external IP> service tcp ssh ssh
access-group outside_SSH_DMZ in interface outside
route outside 0.0.0.0 0.0.0.0 <internal intermediate IP> 1

 

 Packet Tracer External IP to Internal

 ciscoasa(config)# packet-tracer input outside tcp 8.8.8.8 22 192.168.10.10 22

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.10.10 using egress ifc  dmz

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_SSH_DMZ in interface outside
access-list outside_SSH_DMZ extended permit tcp any host 192.168.10.10 eq ssh log
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network ssh
 nat (dmz,outside) static <external-IP> service tcp ssh ssh
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

  Packet Tracer External IP to External

ciscoasa(config)# packet-tracer input outside tcp 8.8.8.8 22 <external-IP> 22

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network ssh
 nat (dmz,outside) static <external-IP> service tcp ssh ssh
Additional Information:
NAT divert to egress interface dmz
Untranslate <external-IP>/22 192.168.10.10/22

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_SSH_DMZ in interface outside
access-list outside_SSH_DMZ extended permit tcp any host 192.168.10.10 eq ssh log
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network ssh
 nat (dmz,outside) static <external-IP> service tcp ssh ssh
Additional Information:

Phase: 6
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 19180, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow

1 Accepted Solution

Accepted Solutions

Thanks for your help. You helped me think outside of the box. So I did some digging in the logs, and just tested SSH against it and watched logs. It turns out, it needed a NAT against my outside interface (the internal IP address attached to the outside interface) and not the external IP that is forwarded to my outside interface.

So I did that, it was then considered a "real IP packet" that was being denied, it even let me create an ACL rule based on it, I changed it based on your suggestion (any external port, since it tried a bunch of arbitrary ports in the 6000 range), and ta-da it works! Thanks.

View solution in original post

5 Replies 5

Hi check below command,
access-list outside_DMZ extended permit tcp any object ssh eq ssh

 

normally source devices using random private port to communicate with other devices. destination port is ok as SSH port. for ex.
source - 8.8.8.8
source port - 65128
destination - NAT IP
destination port - 22

source device not using SSH port as a source port to communicate. so try allowing any source port to contact the destination 22 port

regards,

let us know how it goes.
please rate helpful things..

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Hi, my apologies for the poor naming. That's an object I created called ssh. However it isn't attached to the outside interface (which if you can let me know if that's relevant or not would be good to know). The primary hits I'm looking at in ASDM are for

access-list outside_SSH_DMZ extended permit tcp any host 192.168.10.10 eq ssh log

Below is the ssh object. If I understand the above command: tcp any source going to host 192.168.10.10 port 22.

The other object if I understand correctly is anything matching my ssh object, so going to host 192.168.10.10 on NAT hitting the service ssh. If I'm to re-write the nat rule  nat (dmz,outside) static <external IP> service tcp ssh ssh for any external source port,  how would I do that?  nat (dmz,outside) static <external IP> service tcp any ssh???

 

object network ssh
 host 192.168.10.10

object network ssh
 nat (dmz,outside) static <external IP> service tcp ssh ssh

try below command to check where is the drop.

ciscoasa(config)# packet-tracer input outside tcp 8.8.8.8 65123 <external-IP> 22

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

ciscoasa(config)# packet-tracer input outside tcp 8.8.8.8 65123 40.<external-ip> 22

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network ssh
 nat (dmz,outside) static 40.132.235.222 service tcp ssh ssh
Additional Information:
NAT divert to egress interface dmz
Untranslate 40.132.235.222/22 to 192.168.10.10/22

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_SSH_DMZ in interface outside
access-list outside_SSH_DMZ extended permit tcp any host 192.168.10.10 eq ssh log
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network ssh
 nat (dmz,outside) static 40.132.235.222 service tcp ssh ssh
Additional Information:

Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 163838, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow

 

 

That's the weird part. It's allowed. But when I try to just ssh in from the external IP, both internally and from other sources, it just rejects it. I can ssh internally, so I know the sshd daemon is allowing it. The auth log says nothing of a failed attempt or me even reaching it. SSH connect to host port 22: resource temporarily unavailable. An nmap scan of my external port 22 says it's filtered.

To add: tcp6       0      0 :::22                   :::*                    LISTEN      15969/sshd

It's not just listening on localhost

I tried just to do it from the other end (try SSH, since it seems packet-tracer isn't replicating it correctly).

3Feb 09 201909:18:23710003<external ip>61152<intermediate internal-ip>22TCP access denied by ACL from <external-ip>/61152 to outside:<intermediate internal-ip>/22

Do I need a separate ACL to go from my external to my intermediate IP?

Thanks for your help. You helped me think outside of the box. So I did some digging in the logs, and just tested SSH against it and watched logs. It turns out, it needed a NAT against my outside interface (the internal IP address attached to the outside interface) and not the external IP that is forwarded to my outside interface.

So I did that, it was then considered a "real IP packet" that was being denied, it even let me create an ACL rule based on it, I changed it based on your suggestion (any external port, since it tried a bunch of arbitrary ports in the 6000 range), and ta-da it works! Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: