Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2532
Views
5
Helpful
5
Replies

custom ssh port to sftp server through ASA

Go to solution
Carlomd
Level 1
Level 1

‎12-11-2014 09:07 AM - edited ‎03-11-2019 10:12 PM

Hello all,

I have a vendor that needs to ftp files to our Linux server using sftp, so I decided to change the default port 22 that ssh uses to a higher number for security reasons (too many brute force attempts), it works internally but somehow I can't get the ASA working with a custom port, I have the configs for the sftp server below, is there another way to achieve it, thanks in advanced.

 

object network mysftpbox nat (inside,outside) static publicip

access-list ACL_OUT extended permit tcp any host mysftpboxinternalip eq 2128

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎12-11-2014 10:02 AM

If your Server is running on tcp/2128, then your config is ok:

object network mysftpbox
  nat (inside,outside) static publicip
access-list ACL_OUT extended permit tcp any object mysftpbox eq 2128

If you only want to forward this one port, then you can specify that in the NAT:

object network mysftpbox
  nat (inside,outside) static publicip service tcp 2128 2128
access-list ACL_OUT extended permit tcp any object mysftpbox eq 2128

If your server is using the default-port tcp/22, but the connection should go externally to tcp/2128, the ASA can translate that as well:

object network mysftpbox
  nat (inside,outside) static publicip service tcp 22 2128
access-list ACL_OUT extended permit tcp any object mysftpbox eq 22

 

 

View solution in original post

5 Replies 5

Go to solution
Karsten Iwen
VIP
VIP

‎12-11-2014 10:02 AM

If your Server is running on tcp/2128, then your config is ok:

object network mysftpbox
  nat (inside,outside) static publicip
access-list ACL_OUT extended permit tcp any object mysftpbox eq 2128

If you only want to forward this one port, then you can specify that in the NAT:

object network mysftpbox
  nat (inside,outside) static publicip service tcp 2128 2128
access-list ACL_OUT extended permit tcp any object mysftpbox eq 2128

If your server is using the default-port tcp/22, but the connection should go externally to tcp/2128, the ASA can translate that as well:

object network mysftpbox
  nat (inside,outside) static publicip service tcp 22 2128
access-list ACL_OUT extended permit tcp any object mysftpbox eq 22

 

 

Go to solution
Carlomd
Level 1
Level 1
In response to Karsten Iwen

‎12-11-2014 10:58 AM

Thanks for the reply Karsten, I'll give the other 2 configs a try.

 

carlo

0 Helpful

Go to solution
Carlomd
Level 1
Level 1
In response to Karsten Iwen

‎12-11-2014 01:13 PM

Hi Karsten, I tried the other 2 configs the 2nd one didn't work, and then on the 3rd one I get an error saying "invalid host" when running

access-list ACL_OUT extended permit tcp any object mysftpbox eq 22

update - my bad I used the wrong syntax, should be host instead of object, I may have to go use the default port if this doesn't work, the vendor only needed to upload files, so it's temporary.

0 Helpful

Go to solution
Carlomd
Level 1
Level 1
In response to Karsten Iwen

‎12-11-2014 02:33 PM

Karsten, the 3rd config worked, thanks for your help.

0 Helpful

Go to solution
metuckness
Level 1
Level 1
In response to Karsten Iwen

‎04-23-2019 09:52 AM

Thank you very much. Finally, a straight forward example with configuration examples worked for me, thank you!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card