Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2136
Views
0
Helpful
4
Replies

How can I map SSH from an outside network range to an internal host (ASA 5505)

Go to solution
Tarran
Level 1
Level 1

‎09-28-2012 06:03 AM - edited ‎03-11-2019 05:01 PM

Cisco Adaptive Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)

- External network range that needs SSH access: 8.8.8.0/24

- Outside interface: 10.1.10.2 (NAT'd from 7.7.7.7)

- Inside Network: 192.168.100.0/24

- Inside host to redirect external SSH to: 192.168.100.98

Hi All,

I have a Cisco ASA 5505 (version above) and I have someone that needs to SSH into a box behind the ASA. I'm having a few issues trying to configure this access-list and NAT. I've tried many combinations and clearly my IOS is not as good as I thought.

Can anyone help with this? What commands should I enter to accomplish mapping SSH from an outside network range to an internal host?

Many thanks,

Tarran

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Tarran

‎09-28-2012 07:31 AM

This may or may not work depending on how your modem handles the natting. On your firewall try this -

static (inside,outside) tcp interface 22 192.168.100.98 22

then add this to your acl on the outside interface of your ASA -

access-list outside_in permit tcp 8.8.8.0 255.255.255.0 host 10.1.10.2 eq 22

if you don't have an acl applied then add this extra step -

access-group outside_in in interface outside

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎09-28-2012 07:12 AM

Tarran

What do you mean by this -

Outside interface: 10.1.10.2 (NAT'd from 7.7.7.7)

does the outside interface have a public IP ie. 7.7.7.7 or a private IP 10.1.10.2 ?

if it is 10.1.10.2 where is this natted to 7.7.7.7 ie. on what device ?

Jon

0 Helpful

Go to solution
Tarran
Level 1
Level 1
In response to Jon Marshall

‎09-28-2012 07:18 AM

It has a private IP 10.1.10.2 but someone from the outside world would ssh to 7.7.7.7 as is NAT'd from the ISP modem.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Tarran

‎09-28-2012 07:31 AM

This may or may not work depending on how your modem handles the natting. On your firewall try this -

static (inside,outside) tcp interface 22 192.168.100.98 22

then add this to your acl on the outside interface of your ASA -

access-list outside_in permit tcp 8.8.8.0 255.255.255.0 host 10.1.10.2 eq 22

if you don't have an acl applied then add this extra step -

access-group outside_in in interface outside

Jon

0 Helpful

Go to solution
Tarran
Level 1
Level 1
In response to Jon Marshall

‎09-28-2012 07:40 AM

BAM. Thank you Jon - worked a treat.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card