Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1015
Views
0
Helpful
1
Replies

Cisco ASA 5516( Ver 9.8). Outside to Inside traffic allow.

MdAbuSufianKhan1455
Level 1
Level 1

‎05-16-2021 11:17 AM

1. I have one 4431 ISR Router, One ASA 5516, one Ca- Switch.

Which must be done:

*Need to Access my 3 host server via SSH from internet with my Public IP.

*Need to Access my web server from internet with my Public IP via 80 and 443.

I done Static nat on my router, when using public ip.

but not working...

see my config.

 

Router ISR

=gig1/1 Connected to ISP via Public IP: 180.140.10.226 (fake)

=gig1/2 Connected to ASA 5516(IP: 172.16.10.1/30)

 

2. ASA 5516

interface GigabitEthernet1/1
description # Connected with Host Gateway #
nameif inside
security-level 100
ip address 192.168.25.254 255.255.255.0
!
interface GigabitEthernet1/2
description # Connected with Core-Router #
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.252

 

Router Config:


version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname Project-Router
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$9N6f$.yWCioZwuaRPWQfrJ31X/
!
aaa new-model
!
!
aaa session-id common
!
ip name-server 130.11.119.30 8.8.8.8
!

!
!
!
!
!
subscriber templating
!
!

multilink bundle-name authenticated
!
!
!
!
license udi pid ISR4331/K9 sn FDO23490EPL
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
username admin privilege 15 secret 5 $1sodTi$5gdDFZcoLVI132,6Eb2yR/
!
redundancy
mode none
!
!
!
!
!
interface GigabitEthernet0/0/0
description # Connected with ISP #
ip address 184.251.121.226 255.255.255.252
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description # Connected with Firewall #
ip address 10.10.10.1 255.255.255.252
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto


!
ip nat inside source static tcp 192.168.25.102 22 184.251.121.226 9222 extendable
ip nat inside source static tcp 192.168.25.100 22 184.251.121.226 9223 extendable
ip nat inside source static tcp 192.168.25.104 22 184.251.121.226 9224 extendable
ip nat inside source list 100 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 180.211.161.225
ip route 192.168.25.0 255.255.255.0 10.10.10.2
!
ip ssh version 2
!
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
!
!
!
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 062S5E324F1E294V5744
transport input telnet ssh
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

 

ASA 5516

 

FW-01# sh running-config
: Saved

:
: Serial Number: 
: Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(2)
!
hostname FW-01
enable password $sha512$5000$XMezq0T1U7T06db3N28UBg==$B2ewuA1ZQZt9VPSH3vEgJg== pbkdf2
names

!
interface GigabitEthernet1/1
description # Connected with Host Gateway #
nameif inside
security-level 100
ip address 192.168.25.254 255.255.255.0
!
interface GigabitEthernet1/2
description # Connected with Core-Router #
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.252
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username admin password $sha512$5000$cdlmJt2BVxr3zhSoWZyXXw==$oXamlfHGRI96pR1XIMVquA== pbkdf2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:ebc4592e51f2f49ba1eb42d164898018
: end
FW-01#

0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎05-16-2021 12:06 PM

Hi @MdAbuSufianKhan1455 

I don't see an access-list on the ASA, so therefore traffic from outside to inside would be dropped, you need something like this:-

 

access-list OUTSIDE_IN permit tcp any host 192.168.25.100 eq 22
access-list OUTSIDE_IN permit tcp any host 192.168.25.102 eq 22
access-list OUTSIDE_IN permit tcp any host 192.168.25.104 eq 22
access-group OUTSIDE_IN in interface outside
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card