cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1052
Views
5
Helpful
4
Replies

Cannot Pass Traffic to Internal SSH Server

CUITDirector
Level 1
Level 1

I've been banging my head against a wall for 2 days trying to get this to work, and I just can't seem to figure it out.  I have an ASA-5506 on a very small working network, and i'm trying to add the necessary rules to allow public access to an internal server through the single external IP, on port 22.  I've followed a number of guides online including the one at the link below, and no matter what I do, I keep getting TCP access denied by ACL from Source_IP to MyPublic_IPI tried to included the relevant lines from my config below.  Anyone have any suggestions?    

 

object network Server_Name

host 10.240.240.83

 

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static Server_Name interface service tcp ssh ssh

 

access-list outside_access_in extended permit tcp any object Server_Name eq ssh

 

https://www.petenetlive.com/KB/Article/0000077

 

1 Accepted Solution

Accepted Solutions

Remove that NAT rule and re-add but make sure you use the command "after-auto". E.g.

 

nat (INSIDE,OUTSIDE) after-auto source dynamic any interface

 

This will move that NAT rule to Section 3 and allow traffic to hit your static NAT rule

 

HTH

View solution in original post

4 Replies 4

Hi,
My first guess would be that you have a Manual NAT rule which is being hit before your rule in Section 2. You probably have a dynamic rule for all outbound traffic, can you provide the output of "show run nat" to confirm.

What is the output of "show nat" does it confirm any hits (untranslated/translated) on your nat rule?

If you run packet-tracer from the CLI and provide the output, e.g. "packet-tracer input outside tcp 8.8.8.8 2000 <your-public-ip> 22" and provide the output.

HTH

I'm not showing any hits on my NAT rule.  The one that was created for this is a "Network Object" NAT rule which was auto generated by the firewall when I added the NAT settings under the host.  I do have another NAT rule for outgoing traffic that includes the range that this server IP is in, and it is in a higher section.  

 

The packet-tracer ends with the following:

 

Result

input-interface: outside

input-status: up

output-line-status:  up

output-interface:  NP Identity Ifc

Action:  drop

Drop-reason:  (acl-drop) Flow is denied by configured rule

 

Remove that NAT rule and re-add but make sure you use the command "after-auto". E.g.

 

nat (INSIDE,OUTSIDE) after-auto source dynamic any interface

 

This will move that NAT rule to Section 3 and allow traffic to hit your static NAT rule

 

HTH

That did it.  Thanks for the help!

Review Cisco Networking for a $25 gift card