cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
248
Views
0
Helpful
1
Replies

ASA Version 9.4 - static port translation issue

NeverOutofTune
Level 1
Level 1

ASA Version 9.4(2)6

Task to accomplish:

1) Allow anyone HTTP access to WEB_Svr inside: 10.10.10.19, outside: 1.1.1.19
2) Allow VENDOR at 3.3.3.3 access to SSH_Svr inside: 10.10.10.19, outside: 1.1.1.19 on port SSH (22) translated to port 5678.

The below configuration works but also allows VENDOR to use port 22 or 5678. My ACL is using the real IP address and real port.

How can I limit access for VENDOR to use only port 5678?

I'm assuming when port 22 is used, the WEB_Svr NAT is used. When I use 5678, the SSH_Svr NAT is used. I thought about appending "tcp 80 80" to the WEB_Svr NAT but this is not permitted with the "dns" qualifier.

object-group network VENDOR
  network-object host 3.3.3.3

object network WEB_Svr
  host 10.10.10.19

object network SSH_Svr
  host 10.10.10.19

access-list outside_access_in extended permit tcp any object WEB_Svr eq www
access-list outside_access_in extended permit tcp object-group VENDOR object SSH_Svr eq ssh

object network WEB_Svr
  nat (inside,outside) static 1.1.1.19 dns

object network SSH_Svr
  nat (inside,outside) static 1.1.1.19 service tcp 22 5678

1 Reply 1

Aditya Ganjoo
Cisco Employee
Cisco Employee

Hi,

You can use a packet tracer to confirm which NAT is being used for the Vendor when it tries to access port 22 or 5678.

Regards,

Aditya

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: