02-02-2019 07:39 AM - edited 02-21-2020 08:44 AM
Hi everyone, can you guys help me with this one? From the topology, PC1 to PC3 needs to connect with the Server using ssh.
Here's the details:
[IP Address]
1. PC 1 : 192.168.1.2
2. PC 2: 192.168.2.2
3. PC 3: 192.168.3.2
4. SSH Server: 10.109.80.85
5. TP Link Router MR3220:
(Wan Interface): 1.1.1.1
(Lan Interface): 10.109.80.1
6. ASA Firewall:
GiG 1/1 : 1.1.1.20
GiG 1/2 : 192.168.1.1
GiG 1/3 : 192.168.2.1
GiG 1/4 : 192.168.3.1
[Conditions]
1. PC 1 to PC 3 will be having static NAT with the following address:
1.1. 192.168.1.2 ----> 1.1.1.21
1.2. 192.168.2. 2 ----> 1.1.1.22
1.3. 192.168.3.2 -----> 1.1.1.23
2. PC 1 to PC 3 can Access port 22 of the Server
3. Private IP addresses of PC1 to PC2 must not be visible from SSH server
*I can only configure the ASA using ASDM. I'm totally newbie with ASA so please. Thanks in advance!
*I already tested the port 22 of the Server using SSH when I connected to the Lan Interfaces.
*is it really possible for a tp link home router to port forward port 22 of the server to the wan interface?
Im totally newbie with ASA, so please? Thank you in advance!
Solved! Go to Solution.
02-04-2019 08:51 AM
Hi,
From my understanding, you will need to access the SSH server from all three PCs right?
1. You need dynamic PAT on the ASA so your PCs can go out to the internet.
2. You will need to configure port forwarding on the TP-link router, for example, 1.1.1.1:22 >> 10.109.80.85:22
3. You will need to initiate the SSH connection from the PC using the public IP of the TP-Link router.
What is the issue you are having at the moment?
02-04-2019 08:51 AM
Hi,
From my understanding, you will need to access the SSH server from all three PCs right?
1. You need dynamic PAT on the ASA so your PCs can go out to the internet.
2. You will need to configure port forwarding on the TP-link router, for example, 1.1.1.1:22 >> 10.109.80.85:22
3. You will need to initiate the SSH connection from the PC using the public IP of the TP-Link router.
What is the issue you are having at the moment?
02-07-2019 05:28 AM
Hello
Thanks for answering! Is static NAT not an option? Now I see that I need to port forward then ssh the public IP.
02-07-2019 06:59 AM
02-10-2019 07:23 PM
Hi
I already tested your suggestions. From the syslog of ASA,
***I was able to see the dynamic TCP translation of 192.168.1.2 ---> 1.1.1.21
6 Feb 11 2019 11:26:44 192.168.1.2 59497 1.1.1.1 22 Built outbound TCP connection 13088 for outside:1.1.1.1/22 (192.168.1.100/22) to inside1:192.168.1.2/59497 (1.1.1.21/59497)
***The problem is I can't still connect and I see this teardown log:
6 Feb 11 2019 11:10:41 1.1.1.1 22 192.168.1.2 59402 Teardown TCP connection 13064 for outside:1.1.1.1/22 to inside1:192.168.1.2/59402 duration 0:00:30 bytes 0 SYN Timeout
***I also configured 1.1.1.1 to be translated to 192.168.1.100 (static)
***Still can't access.
Should I add access list? Thanks a Lot!
02-10-2019 08:33 PM - edited 02-11-2019 04:09 PM
Hi, sorry to bother. Issues were now solved. Thanks a lot!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide