08-06-2010 06:16 AM - edited 03-11-2019 11:21 AM
Hi All,
I'm well aware that there must be several posts on this topic already (I've read a few) and even searched other articles, but I am having no joy whatsoever. Perhaps this will be a chance for someone to get 5 easy points.
I'm currently running an ASA 5505 8.3.(2) and ASDM 6.3.(2). I cannot get PAT working for the life of me. I would dearly like to get my outside interface to nat port 2202 to an internal host (LXSERVER) on port 22.
OUTSIDE interface: DHCP
DMZ interface: 10.2.2.1
DMZ host: LXSERVER 10.2.2.2
e.g. any IP ----> OUTSIDE INTERFACE:2202 ----> PAT -----> LXSERVER:2202
I can access the LXSERVER from my INSIDE (192.168.2.0/24) network and access the internet from within without a problem.
interface Vlan10
nameif OUTSIDE
security-level 0
ip address dhcp setroute
!
interface Vlan20
nameif DMZ
security-level 50
ip address 10.2.2.1 255.255.255.0
!
output omitted
!
object network LXSERVER
host 10.2.2.2
!
output omitted
!
access-list OUTSIDE_access_in extended permit tcp any host 10.2.2.2 eq 2202
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq 2202
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq ssh
access-list OUTSIDE_access_in extended permit tcp any host 10.2.2.2 eq ssh
!
output omitted
!
object network LXSERVER
nat (DMZ,OUTSIDE) static interface service tcp ssh 2202
!
nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
nat (LAB,OUTSIDE) after-auto source dynamic any interface
nat (DMZ,OUTSIDE) after-auto source dynamic any interface
access-group INSIDE_access_in in interface INSIDE
access-group OUTSIDE_access_in in interface OUTSIDE
access-group LAB_access_in in interface LAB
I have highlighted in bold what I see as important config. I have added the four access list entries as above purely for testing and have been trying to use the Packet Tracer to determine what is the correct ACL to have in place.
So, I have a couple of questions, namely,
1. Is my config wrong, and if so
2. What is the correct config in order to achieve my goal
3. If you were to test this with the packet tracer, what destination IP and port would you input as the relevant parameters?
Best Regards,
Conor
Solved! Go to Solution.
08-06-2010 06:52 AM
Hello,
Your configuration looks good. Can you please make sure that the default
gateway on the DMZ server is set to the DMZ interface IP? Also, you do not
need following lines:
access-list OUTSIDE_access_in extended permit tcp any host 10.2.2.2 eq 2202
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq
2202
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq
ssh
If it is still not working, please check the Access-list hit count (show
access-list OUTSIDE_access_in). If you do not see any hit count for the rule
that allows ssh access, your ISP might be blocking non-standard ports. You
need to talk to them and open-up the ports.
Hope this helps.
Regards,
NT
08-06-2010 06:52 AM
Hello,
Your configuration looks good. Can you please make sure that the default
gateway on the DMZ server is set to the DMZ interface IP? Also, you do not
need following lines:
access-list OUTSIDE_access_in extended permit tcp any host 10.2.2.2 eq 2202
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq
2202
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq
ssh
If it is still not working, please check the Access-list hit count (show
access-list OUTSIDE_access_in). If you do not see any hit count for the rule
that allows ssh access, your ISP might be blocking non-standard ports. You
need to talk to them and open-up the ports.
Hope this helps.
Regards,
NT
08-06-2010 07:27 AM
Dear Nagaraja,
Thanks for the speedy post. I just went back and tried to ssh to my server and, hey presto, it worked. It must have been the last change I made and most likely failed to test in my ever growing impatience. Seems all that reading and trial and error paid off. I also worked out that you need to use the internal ip and port in the firewall ACL but the outside interface and 'to be patted' port.
Thanks again, and as I suggested, 5 stars easily earnt!
So, for anyone else having this problem, the above config works, but be sure to note Nagaraja's information regarding the unnecessary ACLs.
Cheers,
Conor
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide