ASA Version 9.4(2)6
Task to accomplish:
1) Allow anyone HTTP access to WEB_Svr inside: 10.10.10.19, outside: 1.1.1.19
2) Allow VENDOR at 3.3.3.3 access to SSH_Svr inside: 10.10.10.19, outside: 1.1.1.19 on port SSH (22) translated to port 5678.
The below configuration works but also allows VENDOR to use port 22 or 5678. My ACL is using the real IP address and real port.
How can I limit access for VENDOR to use only port 5678?
I'm assuming when port 22 is used, the WEB_Svr NAT is used. When I use 5678, the SSH_Svr NAT is used. I thought about appending "tcp 80 80" to the WEB_Svr NAT but this is not permitted with the "dns" qualifier.
object-group network VENDOR
network-object host 3.3.3.3
object network WEB_Svr
host 10.10.10.19
object network SSH_Svr
host 10.10.10.19
access-list outside_access_in extended permit tcp any object WEB_Svr eq www
access-list outside_access_in extended permit tcp object-group VENDOR object SSH_Svr eq ssh
object network WEB_Svr
nat (inside,outside) static 1.1.1.19 dns
object network SSH_Svr
nat (inside,outside) static 1.1.1.19 service tcp 22 5678