02-20-2023 01:31 PM - edited 02-20-2023 01:31 PM
Hello.
Goal:
On ASA-5525...
...to permit servers 10.0.1.1/24, 10.0.1.2, 10.0.1.3...
...which use protocol sftp
...to dynamically translate IP's to public Outside interface
...to reach server 3.3.3.3 on its port 2222
Question: What is the CLI code for this?
Thank you.
Solved! Go to Solution.
02-20-2023 04:11 PM
How I fix so TRANSLATED destination port is 2222 ? (I think i need manual twice NAT, but i'm not sure) ?
you you want to NAT port
you already have static PAT
and you receive SFTP toward 2222.
no need any other NAT for this case.
02-20-2023 01:35 PM
why dynamic ??
02-20-2023 01:44 PM
You are correct= static. Can you please write code? I've struggled with this a long time.
02-20-2023 01:54 PM - edited 02-20-2023 02:35 PM
I think you must look to ALL picture,
the ACL must allow SFTP
the NAT must NATing the traffic or UN-NATing the traffic
object network SFTP
nat (inside,outside) static <Server Public IP> service tcp 22 22
the Inspection <<- here are you run bypass as I mention before ?
02-20-2023 02:51 PM
1. inside_in ACL is healthy and being hit. <<COMPLETE>>
2. Can you help me attain my intent here (to use object group in config)? I think I need to use manual NAT.
object-group network MY_3_SERVERS_to_VENDOR1
network-object host 10.0.1.1
network-object host 10.0.1.2
network-object host 10.0.1.3
nat (Inside,Outside) static 3.3.3.3 service tcp 2222
^
ERROR: % Invalid input detected at '^' marker.
02-20-2023 03:12 PM
I will test use object-group with multi network host mapped to one public IP
but before that can you check add single network host
also are the 3.3.3.3 is reachable via OUT interface ??
are you use Inside, Outside as nameif of interface ??
02-20-2023 03:20 PM
but before that can you check add single network host
also are the 3.3.3.3 is reachable via OUT interface ?? YES confirmed
are you use Inside, Outside as nameif of interface ?? YES confirmed
I think it's best to not get too complex. I think it's simple config error.
I just need code that satisfies 1st post. Your code is right idea, but it's best to use 1 object group for the three hosts. so...
object network SFTP
host <ServerPrivate IP>
nat (inside,outside) static <Server Public IP> service tcp 2222
...needs to be changed to an "object group" config. thats all i think.
02-20-2023 03:25 PM - edited 02-20-2023 03:26 PM
object network SFTP <<- you can change as you want butI recommend always keep name referring to IP or service
host <ServerPrivate IP>
nat (inside,outside) static <Server Public IP> service tcp 22 22
02-20-2023 03:49 PM - edited 02-20-2023 03:52 PM
Some progress. I took PCAP from device not ASA-- 1 hop past Outside interface of ASA. Pcap says the translated destination port is NOT required 2222.
Below is present config
object network SFTP
nat (Inside,Outside) static 3.3.3.3 service tcp 2222 2222
access-group Outside_access_in in interface Outside
How I fix so TRANSLATED destination port is 2222 ? (I think i need manual twice NAT, but i'm not sure)
(REAL destination port needs exactly "2222")
02-20-2023 03:58 PM
tcp 22 22 is not meaning port 2222
it meaning
source tcp port 22 will NATing to tcp port 22
that why I make it bold.
02-20-2023 04:06 PM - edited 02-20-2023 04:08 PM
OK, we have misunderstanding here, because there is strange coincidence...
The vendor has open port EXACTLY THIS NUMBER "2222" (2230-8=2222, the number 2222)
The protocol is sftp, which uses port 22. I need the code to connect to destination port exactly 2222.
(now maybe later, there is a completely different issue that SERVICE 22 used by SFTP (and also SSH) is blocked by firepower or something. But that is later troubleshoot.)
Below is present config
object network SFTP
nat (Inside,Outside) static 3.3.3.3 service tcp 2222 2222
access-group Outside_access_in in interface Outside
How I fix so TRANSLATED destination port is 2222 ? (I think i need manual twice NAT, but i'm not sure)
...or maybe my big misunderstanding is that TCP protocol is NOT a port, it is different thing. So again, please tell me how to fix?
02-20-2023 04:11 PM
How I fix so TRANSLATED destination port is 2222 ? (I think i need manual twice NAT, but i'm not sure) ?
you you want to NAT port
you already have static PAT
and you receive SFTP toward 2222.
no need any other NAT for this case.
02-20-2023 04:15 PM - edited 02-20-2023 04:22 PM
right now PCAP on device 1 hop past outside int of ASA going to www, shows destination port is NOT 2222. It is random port. It needs to be 2222.
Below is present config
object network SFTP
host 10.0.1.1
nat (Inside,Outside) static 3.3.3.3 service tcp 2222 2222
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide