ASA port forwarding problem from port 222 to 22

robinandjiang · ‎09-10-2019

the request is when the traffic hit the public IP on port 222, i need to redirect to a internal server on port 22.

mu configuration is like this:

object network FTP-Access
nat (dmz2,outside) static FTP-SVR-Public service tcp ssh 222

access-list global_access extended permit tcp any object FTP-Access eq 222

access-group global_access global

but it doesn't work.

please help.

thanks

Rob Ingram · ‎09-10-2019

Hi,
You need to reference the real port in the ACL, which would be 22.

HTH

robinandjiang · ‎09-10-2019

i tried both the ports in ACL, but didn't work, even no traffic hit the rule.

Rob Ingram · ‎09-10-2019

Is your static nat rule above the dynamic nat rule used for outbound access? Provide the output of "show nat" if unsure

Also run packet-tracer on the cli and provide the output

robinandjiang · ‎09-10-2019

the static nat is above the dynamic nat, we using different public IP for different port forwarding, and the PAT still go through the main public IP.

object network FTP-Access
nat (dmz2,outside) static FTP-SVR-Public service tcp ssh 222
!
nat (dmz2,outside) after-auto source dynamic any interface

Rob Ingram · ‎09-10-2019

Ok, fine. What about providing the output from packet-tracer for review?

robinandjiang · ‎09-10-2019

the configuration has been changed , because we decided to use the same port 22 and it works fine.

thanks for you help.

i will set up a lab to do more tests for this issue.

thanks