Solved: Re: ASA 5505 NAT Issue

nescody · ‎12-25-2019

Hello,

I am trying to allow ssh to my internal sever.

I basically used the same configuration which was configured for port 80 or 443 on ASA.

object network linux
host 192.168.1.123
object service sshlinux
service tcp source eq ssh

access-list outside-in extended permit tcp any host 192.168.1.123 eq ssh

nat (inside,outside) source static linux interface service sshlinux sshlinux

access-group Outside-in in interface outside

Please suggest where the issue:

Thanks in advance

Elliot Dierksen · ‎01-02-2020

I think your problem is that you can't use port 22 on the outside unless you reassign the port that the ASA itself uses for SSH. You can do SSH on the outside on a different port, but translate it to 22 on the inside. That would look like this using port 922 on the outside. object network insidehost-ssh host 10.10.10.8 object network insidehost-ssh nat (inside,outside) static interface service tcp ssh 922 access-list internet-in extended permit tcp any object insidehost-ssh eq ssh access-group internet-in in interface outside

View solution in original post

Sheraz.Salim · ‎12-25-2019

your configuraton look good.

run a packet tracer

packet-tracer input outside tcp 8.8.8.8 12345 (firewall outside ip address) ssh

please do not forget to rate.

nescody · ‎12-30-2019

Thanks @Sheraz.Salim, But I don't have PT installed. SSH Port is still closed for my Public IP address.

Sheraz.Salim · ‎12-30-2019

I am not talking about Packet Tracer software for cisco student network learning. I am talking Packet Tracer utility in ASA software code.

here is a link

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/p1.html

please do not forget to rate.

nescody · ‎12-31-2019

Thanks for providing the link. I am very new for Cisco devices.

Here is the output:

packet-tracer input outside tcp 8.8.8.8 12345 XXX.XXX.XXX.XXX ssh

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static linux interface service sshlinux sshlinux
Additional Information:
NAT divert to egress interface inside
Untranslate XXX.XXX.XXX.XXX/22 to 192.168.1.123/22

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

packets are dropping becuase of acl,

here is my acl:

access-list outside-in extended permit tcp any host 192.168.1.123 eq ssh

Sheraz.Salim · ‎12-31-2019

could you share your firewall configuration?

please do not forget to rate.

Elliot Dierksen · ‎01-02-2020

I think your problem is that you can't use port 22 on the outside unless you reassign the port that the ASA itself uses for SSH. You can do SSH on the outside on a different port, but translate it to 22 on the inside. That would look like this using port 922 on the outside. object network insidehost-ssh host 10.10.10.8 object network insidehost-ssh nat (inside,outside) static interface service tcp ssh 922 access-list internet-in extended permit tcp any object insidehost-ssh eq ssh access-group internet-in in interface outside

nescody · ‎01-03-2020

Thanks @Elliot Dierksen

Just trying to understand, as per packet tracer, packets were dropped becuase of acl configuration. And another thing, I am not able to ssh into router which tells me router is not configured to login via ssh. So ssh port was not configured so why it wasn't allowing me to use port 22. Thanks in advance.

It is working now with assigning diferent port on outside and translate to ssh inside.

Elliot Dierksen · ‎01-03-2020

As it pertains to SSH, I think that port is allocated whether it is configured or not. That is not true for HTTP and HTTPS as I have been able to pass those ports through. If you look in the logs, I doubt you will see an ACL deny. SSH going to the ASA itself would be permitted or denied by the "ssh" directives (if any) in the config.