12-11-2014 09:07 AM - edited 03-11-2019 10:12 PM
Hello all,
I have a vendor that needs to ftp files to our Linux server using sftp, so I decided to change the default port 22 that ssh uses to a higher number for security reasons (too many brute force attempts), it works internally but somehow I can't get the ASA working with a custom port, I have the configs for the sftp server below, is there another way to achieve it, thanks in advanced.
object network mysftpbox nat (inside,outside) static publicip
access-list ACL_OUT extended permit tcp any host mysftpboxinternalip eq 2128
Solved! Go to Solution.
12-11-2014 10:02 AM
If your Server is running on tcp/2128, then your config is ok:
object network mysftpbox nat (inside,outside) static publicip access-list ACL_OUT extended permit tcp any object mysftpbox eq 2128
If you only want to forward this one port, then you can specify that in the NAT:
object network mysftpbox nat (inside,outside) static publicip service tcp 2128 2128 access-list ACL_OUT extended permit tcp any object mysftpbox eq 2128
If your server is using the default-port tcp/22, but the connection should go externally to tcp/2128, the ASA can translate that as well:
object network mysftpbox nat (inside,outside) static publicip service tcp 22 2128 access-list ACL_OUT extended permit tcp any object mysftpbox eq 22
12-11-2014 10:02 AM
If your Server is running on tcp/2128, then your config is ok:
object network mysftpbox nat (inside,outside) static publicip access-list ACL_OUT extended permit tcp any object mysftpbox eq 2128
If you only want to forward this one port, then you can specify that in the NAT:
object network mysftpbox nat (inside,outside) static publicip service tcp 2128 2128 access-list ACL_OUT extended permit tcp any object mysftpbox eq 2128
If your server is using the default-port tcp/22, but the connection should go externally to tcp/2128, the ASA can translate that as well:
object network mysftpbox nat (inside,outside) static publicip service tcp 22 2128 access-list ACL_OUT extended permit tcp any object mysftpbox eq 22
12-11-2014 10:58 AM
Thanks for the reply Karsten, I'll give the other 2 configs a try.
carlo
12-11-2014 01:13 PM
Hi Karsten, I tried the other 2 configs the 2nd one didn't work, and then on the 3rd one I get an error saying "invalid host" when running
access-list ACL_OUT extended permit tcp any object mysftpbox eq 22
update - my bad I used the wrong syntax, should be host instead of object, I may have to go use the default port if this doesn't work, the vendor only needed to upload files, so it's temporary.
12-11-2014 02:33 PM
Karsten, the 3rd config worked, thanks for your help.
04-23-2019 09:52 AM
Thank you very much. Finally, a straight forward example with configuration examples worked for me, thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide