Solved: I still was unable to

jgarcia44 · ‎04-17-2015

I have a Cisco ASA 5505 Firewall with version 8.0(3). I am trying to allow an external network SSH access into an internal host.

I am seriously struggling with this seemingly easy scenario.

For protection I will use fake IP's - but here is what I want to see happen.

External network: 8.8.8.8 wants to be able to SSH (using putty) to

Internal private IP 192.168.72.104 behind my firewall. I am only allowed 1 public IP from the ISP, which we will call: 4.4.4.4

I believe I need to use NAT'ing and ACL, but I'm just not getting it to work : /

I appreciate the feedback greatly.

Marvin Rhoads · ‎04-17-2015

Since the ASA itself listens on tcp/22 (used by ssh) and you only have the ASA's outside interface address to work with, you need to use port address translation (PAT).

The outside user would then come into the ASA on the translated port. In the following example I used port 2200 as the NAT for port 22:

static (inside,outside) tcp 4.4.4.4 2200 192.168.72.104 22 netmask 255.255.255.255

access-list outside_in extended permit tcp 8.8.8.8 host 4.4.4.4 eq 2200

access-group outside_in in interface outside

View solution in original post

Marvin Rhoads · ‎04-17-2015

Since the ASA itself listens on tcp/22 (used by ssh) and you only have the ASA's outside interface address to work with, you need to use port address translation (PAT).

The outside user would then come into the ASA on the translated port. In the following example I used port 2200 as the NAT for port 22:

static (inside,outside) tcp 4.4.4.4 2200 192.168.72.104 22 netmask 255.255.255.255

access-list outside_in extended permit tcp 8.8.8.8 host 4.4.4.4 eq 2200

access-group outside_in in interface outside

jgarcia44 · ‎04-17-2015

Marvin - Thank you very much for the information. I am getting this error while running this command from within the ASDM GUI command line (I know I should use CLI):

"ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address".

Suggestion?

Marvin Rhoads · ‎04-17-2015

Sorry - I was working from memory on the syntax of this old ASA version. Try this instead for the first line:

static (inside,outside) tcp interface 2200 192.168.72.104 22 netmask 255.255.255.255

jgarcia44 · ‎04-17-2015

I still was unable to establish an ssh session to the host, here is my config if it helps. I can provide anything else helpful:

Result of the command: "sh run"

: Saved
:
ASA Version 8.0(3)
!
hostname pbwksmadisonave
domain-name default.domain.invalid

names
name 192.168.72.101
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.72.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 4.4.4.4 255.255.255.252
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!

boot system disk0:/asa803-k8.bin
boot system disk0:/asa723-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network DM_INLINE_NETWORK_1
network-object 192.168.44.0 255.255.255.0
network-object 192.168.52.0 255.255.255.0
network-object host
object-group service OpenVPN-1194 tcp-udp
description TCP and UDP Port Group for OpenVPN
port-object eq 1194
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3389
port-object eq 5900
port-object eq ssh
group-object OpenVPN-1194
object-group service DM_INLINE_TCP_2 tcp
port-object eq ldap
port-object eq smtp
object-group service DM_INLINE_TCP_3 tcp
group-object OpenVPN-1194
port-object eq ssh
object-group service DM_INLINE_TCP_4 tcp
group-object OpenVPN-1194
port-object eq ssh
object-group service DM_INLINE_TCP_5 tcp
group-object OpenVPN-1194
port-object eq ssh
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service ServerPort96009800 tcp-udp
description UDP and TCP Ports
port-object eq 9600
port-object eq 9800
object-group service DM_INLINE_TCP_7 tcp
group-object OpenVPN-1194
port-object eq ssh
access-list outside_cryptomap extended permit ip 192.168.72.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip 192.168.72.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip any 172.16.32.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.72.0 255.255.255.0 192.168.64.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.72.0 255.255.255.0 192.168.92.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.72.0 255.255.255.0 192.168.56.0 255.255.255.0

access-list outside_in extended permit tcp 172.16.32.0 255.255.255.0 host Server101 object-group DM_INLINE_TCP_1
access-list outside_in extended permit tcp host 8.8.8.8 host 4.4.4.4 eq ssh
access-list outside_in extended permit tcp host *.*.*.* host 4.4.4.4 eq ssh
access-list outside_2_cryptomap extended permit ip 192.168.72.0 255.255.255.0 192.168.64.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.72.0 255.255.255.0 192.168.92.0 255.255.255.0
access-list inside_access_in remark Allow SMTP traffic (scanned PDF images)
access-list inside_access_in remark All Servers to send SMTP
access-list inside_access_in extended permit tcp host Server101 any eq smtp
access-list inside_access_in remark ACL to prevent rogue SMTP from 72.X to anywhere outbound
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list outside_4_cryptomap extended permit ip 192.168.72.0 255.255.255.0 192.168.56.0 255.255.255.0
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1500
ip local pool VPN-NETWORK 172.16.32.0-172.16.32.100 mask 255.255.255.0
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ssh 192.168.72.104 ssh netmask 255.255.255.255
static (inside,outside) 192.168.72.0 192.168.72.0 netmask 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 4.4.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.72.0 255.255.255.0 inside

telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 5

I hope this helps and I appreciate your time!

jgarcia44 · ‎04-17-2015

I would like to post the exact commands I entered although I could not have gotten them right without the help of Marvin Rhoades - Many thanks sir!

Using Marvin's examples with my environment variables:

static (inside,outside) tcp interface 22 192.168.72.104 22 netmask 255.255.255.255

access-list outside_in extended permit tcp host 8.8.8.8 host 4.4.4.4 eq 22

access-group outside_in in interface outside

Very good my friend!

Struggling and Under The Gun - Halp