Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
332
Views
0
Helpful
3
Replies

ASA 9.9 Port forward problem

pwanderoy
Level 1
Level 1

‎05-16-2018 12:45 AM - edited ‎02-21-2020 07:46 AM

I cannot get this to work.

 

What I want to do.

Host on Internet (any) --> FW (xx.xx.24.220:22) --> SSH-pi (10.10.50.65:22)

 

Host on internet connects with ssh to FW port tcp/22 and  will then be forwarded to SSH-pi on port tcp/22.

 

interface GigabitEthernet1/1

 nameif outside

 security-level 0

 ip address dhcp setroute       (DHCP ip = xx.xx.24.220)

interface GigabitEthernet1/8.5

 vlan 5

 nameif FW-VL5

 security-level 100

 ip address 10.10.50.1 255.255.255.0

object network SSH-pi-ext-ip

 host 77.53.24.220

object network SSH-pi

 host 10.10.50.65

access-list outside_access_in extended permit tcp any object SSH-pi-ext-ip eq ssh log notifications

object network obj_any

 nat (any,outside) dynamic interface

object network SSH-pi

 nat (FW-VL5,outside) dynamic interface

access-group outside_access_in in interface outside

Labels:
0 Helpful
3 Replies 3

Florin Barhala
Level 6
Level 6

‎05-16-2018 02:25 AM

Couple things before we dive into your issue:

 1. Update your original post and hide the public IP you're using for the object network SSH-pi-ext-ip

 2. With ASA using port 22 on the outside interface it might happen that you cannot use it for a port-forward as you need. I am not 100% it's not possible, some tricks might help but I would just use any other external port like 2222 and map it to my internal server on port 22.

Here's PF config as I see it:

 

object network SSH-pi-ext-ip

 host x.x.x.220

object network SSH-pi

 host 10.10.50.65

object-group service ssh_2222 tcp

 port-object eq 2222

object-group service ssh_22 tcp

 port-object eq 22

 

nat (outside,inside) after-auto source static any any destination static SSH-pi-ext-ip object network SSH-p service ssh_2222 ssh_22 unidirectional

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni

‎05-16-2018 02:25 AM

your NAT is wrong for port 22, you need to nat the outside ntercface on port 22 to inside pi 22, from outside to inside

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Florin Barhala
Level 6
Level 6
In response to Dennis Mink

‎05-16-2018 02:34 AM

Out of curiosity, what happens with this DNAT on 22 if the user adds:
ssh 0.0.0.0 0.0.0.0 outside
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card