cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4395
Views
5
Helpful
6
Replies

Port Forwarding in ASA for SSH service

hectormiranda
Level 1
Level 1

Hello,

My scenario is as follows:

- Internal LAN subnet: 192.168.20.0/24

- Cisco ASA5516-X external Public IP: 190.151.47.10

- inside interface name: inside

- outside interface name: WAN_INTERNET_If

There is a server in the internal LAN with IP address 192.168.20.36. There is an network object named Server-Arq defined in the ASA.

I need to access that server from the outside through SSH but using tcp port 22022 as "external" port, then mapping it to port 22 in the server's address.

So, if a user from the outside runs PuTTY pointing SSH to 190.151.47.10 port 22022, then that traffic goes to internal 192.168.20.36 port 22.

I wrote the following instructions in the ASA for the port forwarding:

object network Server-Arq
nat (inside,WAN_INTERNET_If) static interface service tcp ssh 22022

Then I added the following ACL:

access-list WAN_Internet_access_in extended permit tcp any object Server-Arq eq ssh

 

But the port tcp 22022 remains closed.

What is missing in my configuration?

Attached current ASA config file.

 

Thanks in advance,

 

Hector M.

1 Accepted Solution

Accepted Solutions

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

Can you move your dynamic nat at the end like:

 

object network obj_any
 nat (any,WAN_INTERNET_If) after-auto dynamic interface

Also can you run the following command and paste the result please in a text file:

 

packet-tracer input WAN_INTERNET_if tcp 8.8.8.8 12345 190.151.47.10 22022 detail

 

 

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

6 Replies 6

johnd2310
Level 8
Level 8

Hi,

You access-list should be for port 22022 and not ssh

"access-list WAN_Internet_access_in extended permit tcp any object Server-Arq eq 22022"

 

Thanks

John

**Please rate posts you find helpful**

Than you John.

I tried it, but that's not the problem.

 

Hector M.

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

Can you move your dynamic nat at the end like:

 

object network obj_any
 nat (any,WAN_INTERNET_If) after-auto dynamic interface

Also can you run the following command and paste the result please in a text file:

 

packet-tracer input WAN_INTERNET_if tcp 8.8.8.8 12345 190.151.47.10 22022 detail

 

 

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello Francesco,

I moved the dynamic nat rule after the specific objects ones.

The syntax is: 

object network Server-Arq
nat (inside,WAN_INTERNET_If) static interface service tcp ssh 8022
!
nat (inside,WAN_INTERNET_If) after-auto source dynamic any interface

 

Regarding the PacketTracer, I have attached the output to this message. Last night, trying to do something different, I changed the 22022 port to tcp 8022, so the packet tracer command I ran was:

packet-tracer input WAN_INTERNET_if tcp 8.8.8.8 12345 190.151.47.10 8022 detail

 

Hector M.

Did you removed this nat:

object network obj_any
nat (any,WAN_INTERNET_If) dynamic interface

You should have only your ssh nat first and then the dynamic at the end.
Do a clear xlate, test again and re-run the packet-tracer command please.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello,

I did two different tests:

  1. Used an access switch in the LAN to forward port 22 to port 8201. External access (SSH to public ip + port 8201) worked ok
  2. Used an internal PC (Windows) and installed FreeSSH server. Mapped port 22 to 22134 and external SSH worked ok.

So, I asked the server's guy what was happenning with his machine. He changed the machine and the initial problem disappeared!

Anyway, I thank you guys for your great help.

 

Hector M.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: