Solved: Re: Setting up Cisco ASA firewall

floki · ‎02-02-2019

Hi everyone, can you guys help me with this one? From the topology, PC1 to PC3 needs to connect with the Server using ssh.

Here's the details:
[IP Address]
1. PC 1 : 192.168.1.2
2. PC 2: 192.168.2.2
3. PC 3: 192.168.3.2
4. SSH Server: 10.109.80.85
5. TP Link Router MR3220:
(Wan Interface): 1.1.1.1
(Lan Interface): 10.109.80.1
6. ASA Firewall:
GiG 1/1 : 1.1.1.20
GiG 1/2 : 192.168.1.1
GiG 1/3 : 192.168.2.1
GiG 1/4 : 192.168.3.1
[Conditions]
1. PC 1 to PC 3 will be having static NAT with the following address:
1.1. 192.168.1.2 ----> 1.1.1.21
1.2. 192.168.2. 2 ----> 1.1.1.22
1.3. 192.168.3.2 -----> 1.1.1.23
2. PC 1 to PC 3 can Access port 22 of the Server
3. Private IP addresses of PC1 to PC2 must not be visible from SSH server

*I can only configure the ASA using ASDM. I'm totally newbie with ASA so please. Thanks in advance!
*I already tested the port 22 of the Server using SSH when I connected to the Lan Interfaces.
*is it really possible for a tp link home router to port forward port 22 of the server to the wan interface?

Im totally newbie with ASA, so please? Thank you in advance!

vsurresh · ‎02-04-2019

Hi,

From my understanding, you will need to access the SSH server from all three PCs right?

1. You need dynamic PAT on the ASA so your PCs can go out to the internet.

2. You will need to configure port forwarding on the TP-link router, for example, 1.1.1.1:22 >> 10.109.80.85:22

3. You will need to initiate the SSH connection from the PC using the public IP of the TP-Link router.

What is the issue you are having at the moment?

View solution in original post

vsurresh · ‎02-04-2019

Hi,

From my understanding, you will need to access the SSH server from all three PCs right?

1. You need dynamic PAT on the ASA so your PCs can go out to the internet.

2. You will need to configure port forwarding on the TP-link router, for example, 1.1.1.1:22 >> 10.109.80.85:22

3. You will need to initiate the SSH connection from the PC using the public IP of the TP-Link router.

What is the issue you are having at the moment?

floki · ‎02-07-2019

Hello

Thanks for answering! Is static NAT not an option? Now I see that I need to port forward then ssh the public IP.

vsurresh · ‎02-07-2019

Hi,
Static NAT is only applied if the server is behind the ASA. Even if you have an ASA, you still require to use the public IP to connect to the server. (ASA will handle the private to public IP translation)

floki · ‎02-10-2019

Hi

I already tested your suggestions. From the syslog of ASA,

***I was able to see the dynamic TCP translation of 192.168.1.2 ---> 1.1.1.21

6 Feb 11 2019 11:26:44 192.168.1.2 59497 1.1.1.1 22 Built outbound TCP connection 13088 for outside:1.1.1.1/22 (192.168.1.100/22) to inside1:192.168.1.2/59497 (1.1.1.21/59497)

***The problem is I can't still connect and I see this teardown log:

6 Feb 11 2019 11:10:41 1.1.1.1 22 192.168.1.2 59402 Teardown TCP connection 13064 for outside:1.1.1.1/22 to inside1:192.168.1.2/59402 duration 0:00:30 bytes 0 SYN Timeout

***I also configured 1.1.1.1 to be translated to 192.168.1.100 (static)

***Still can't access.

Should I add access list? Thanks a Lot!

floki · ‎02-10-2019

Hi, sorry to bother. Issues were now solved. Thanks a lot!!