cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


194
Views
0
Helpful
7
Replies

ASA port forwading

Hello, 

I have internal server 10.10.10.1 mapped to 2.2.2.2 (public ip). I can access the server via port 80 without no issues. Now I wanted to ssh into with different port number 222. I have made the following config. Just want to find out do I have need more config other than following?

object network DEVICE-10.10.10.1

host 10.10.10.1

nat (inside,outside) static 2.2.2.2

object network DEVICE-10.10.10.1-222

host 10.10.10.1

nat (inside,outside) static 2.2.2.2 service tcp 22 222

ACL outside (outside interface for inbound traffic)

permit any host 10.10.10.1 eq 222

ACL inside (inside interface for outbound traffic)

permit any any eq 222

Thanks in advance.

Thili

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Mentor

ok, just tested it out and it

ok, just tested it out and it seems that the ASA doesn't behave at it should. The general NAT always takes preference. To make it work, you have to change the first NAT to also do a port-forwarding:

object network DEVIDE-10.10.10.1-80
 host 10.10.10.1
 nat (inside,outside) static 2.2.2.2 service tcp 80 80
object network DEVIDE-10.10.10.1-22
 host 10.10.10.1
 nat (inside,outside) static 2.2.2.2 service tcp 22 222
permit any host 10.10.10.1 eq 80
permit any host 10.10.10.1 eq 22
7 REPLIES 7
VIP Mentor

Your NAT looks fine. To make

Your NAT looks fine. To make the config more readable, you could change the first NAT-rule to be only for service tcp/80.

For the outside-ACL, you have to allow the real port that is opened on the server. I assume the server is listening on tcp/22? Then the ACL has to be the following:

permit any host 10.10.10.1 eq 22

For this incoming traffic, you don't need an ACE on the inside ACL.

Thanks Karsten,

Thanks Karsten,

The whole purpose of this is, block well known 22 port from outside. Instead I want to use port 222 for ssh. The server is listening to port 22.If I enable port forwarding to 222 do I still need a ACE for opening port 22 from outside? if yes, then I'm loosing the purpose of the port forwarding.

Let me know your thoughts.

VIP Mentor

It won't work if you don't

It won't work if you don't open the real port from outside. NAT is done first and the translated packet (with changed port numbers from 222 to 22) is compared to the ACL. But that doesn't mean that your server is reachable through tcp/22 from outside. It's not!

I tried it. I opened port 22.

I tried it. I opened port 22. server responded to port 22 but not for 222. 

VIP Mentor

Was your new NAT-rule in

Was your new NAT-rule in place?

Highlighted

everything is working now.

everything is working now. you are right, I have to enable port 22 from outside. 

Same time general NAT rule must take off. Otherwise it overrides other NAT rules.

Thanks for your help.  

VIP Mentor

ok, just tested it out and it

ok, just tested it out and it seems that the ASA doesn't behave at it should. The general NAT always takes preference. To make it work, you have to change the first NAT to also do a port-forwarding:

object network DEVIDE-10.10.10.1-80
 host 10.10.10.1
 nat (inside,outside) static 2.2.2.2 service tcp 80 80
object network DEVIDE-10.10.10.1-22
 host 10.10.10.1
 nat (inside,outside) static 2.2.2.2 service tcp 22 222
permit any host 10.10.10.1 eq 80
permit any host 10.10.10.1 eq 22