08-03-2016 10:37 AM - edited 03-12-2019 01:05 AM
Hello,
I have internal server 10.10.10.1 mapped to 2.2.2.2 (public ip). I can access the server via port 80 without no issues. Now I wanted to ssh into with different port number 222. I have made the following config. Just want to find out do I have need more config other than following?
object network DEVICE-10.10.10.1
host 10.10.10.1
nat (inside,outside) static 2.2.2.2
object network DEVICE-10.10.10.1-222
host 10.10.10.1
nat (inside,outside) static 2.2.2.2 service tcp 22 222
ACL outside (outside interface for inbound traffic)
permit any host 10.10.10.1 eq 222
ACL inside (inside interface for outbound traffic)
permit any any eq 222
Thanks in advance.
Thili
Solved! Go to Solution.
08-03-2016 02:00 PM
ok, just tested it out and it seems that the ASA doesn't behave at it should. The general NAT always takes preference. To make it work, you have to change the first NAT to also do a port-forwarding:
object network DEVIDE-10.10.10.1-80
host 10.10.10.1
nat (inside,outside) static 2.2.2.2 service tcp 80 80
object network DEVIDE-10.10.10.1-22
host 10.10.10.1
nat (inside,outside) static 2.2.2.2 service tcp 22 222
permit any host 10.10.10.1 eq 80
permit any host 10.10.10.1 eq 22
08-03-2016 11:29 AM
Your NAT looks fine. To make the config more readable, you could change the first NAT-rule to be only for service tcp/80.
For the outside-ACL, you have to allow the real port that is opened on the server. I assume the server is listening on tcp/22? Then the ACL has to be the following:
permit any host 10.10.10.1 eq 22
For this incoming traffic, you don't need an ACE on the inside ACL.
08-03-2016 11:49 AM
Thanks Karsten,
The whole purpose of this is, block well known 22 port from outside. Instead I want to use port 222 for ssh. The server is listening to port 22.If I enable port forwarding to 222 do I still need a ACE for opening port 22 from outside? if yes, then I'm loosing the purpose of the port forwarding.
Let me know your thoughts.
08-03-2016 11:58 AM
It won't work if you don't open the real port from outside. NAT is done first and the translated packet (with changed port numbers from 222 to 22) is compared to the ACL. But that doesn't mean that your server is reachable through tcp/22 from outside. It's not!
08-03-2016 01:20 PM
I tried it. I opened port 22. server responded to port 22 but not for 222.
08-03-2016 01:33 PM
Was your new NAT-rule in place?
08-04-2016 07:19 PM
everything is working now. you are right, I have to enable port 22 from outside.
Same time general NAT rule must take off. Otherwise it overrides other NAT rules.
Thanks for your help.
08-03-2016 02:00 PM
ok, just tested it out and it seems that the ASA doesn't behave at it should. The general NAT always takes preference. To make it work, you have to change the first NAT to also do a port-forwarding:
object network DEVIDE-10.10.10.1-80
host 10.10.10.1
nat (inside,outside) static 2.2.2.2 service tcp 80 80
object network DEVIDE-10.10.10.1-22
host 10.10.10.1
nat (inside,outside) static 2.2.2.2 service tcp 22 222
permit any host 10.10.10.1 eq 80
permit any host 10.10.10.1 eq 22
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide