Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
647
Views
0
Helpful
3
Replies

ASA5505 Port Forward/Translation

Go to solution
mtehonica
Level 5
Level 5

‎01-12-2014 08:44 AM - edited ‎03-11-2019 08:28 PM

I'm trying to configure static PAT for a Linux SSH server on my network.  The tricky part is that I'm trying to map port 21 from the outside to port 22 on the inside (because port 22 is blocked on my work network).

I've tried the following but it doesn't seem to be working.  I'm running ASA software version 9.1(4)

object network LinuxAdmin

host 192.168.1.108

object service tcp21

service tcp source eq ftp

object service tcp22

service tcp source eq ssh

nat (inside,outside) source static LinuxAdmin interface service tcp21 tcp22

access-list outside_in extended permit tcp any object LinuxAdmin eq ftp

access-group outside_in in interface outside

I thought this should work but it's not.... when I do a show access-list, I don't see any hits against that rule.  Any help or suggestions would be appreciated.

Thanks,

Matt

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-12-2014 08:49 AM

Hi,

To my understanding on the "service" section of the command the REAL service comes first and then the MAPPED service. So you could try switching the "tcp21" and "tcp22" the other way around.

Naturally you will also have to change the "access-list" to allow the port TCP/22 rather than TCP/21

I am not sure but the traffic might also match the FTP Inspection also so you might want to come up with another MAPPED port for this connection, like TCP/222

Hope this helps

- Jouni

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎01-12-2014 08:58 AM 

I think your NAT statement is a little off.  Try the following

object network obj-192.168.1.108
   host 192.168.1.108
   nat (inside,outside) static interface service tcp 22 21

access-list outside_in extended permit tcp any object LinuxAdmin eq 22
access-group outside_in in interface outside

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-12-2014 08:49 AM

Hi,

To my understanding on the "service" section of the command the REAL service comes first and then the MAPPED service. So you could try switching the "tcp21" and "tcp22" the other way around.

Naturally you will also have to change the "access-list" to allow the port TCP/22 rather than TCP/21

I am not sure but the traffic might also match the FTP Inspection also so you might want to come up with another MAPPED port for this connection, like TCP/222

Hope this helps

- Jouni

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎01-12-2014 08:58 AM 

I think your NAT statement is a little off.  Try the following

object network obj-192.168.1.108
   host 192.168.1.108
   nat (inside,outside) static interface service tcp 22 21

access-list outside_in extended permit tcp any object LinuxAdmin eq 22
access-group outside_in in interface outside

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
mtehonica
Level 5
Level 5

‎01-12-2014 09:18 AM

Thanks guys, that fixed it!  Didn't realize it was then .

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card