cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
562
Views
0
Helpful
4
Replies

enable an external acces to server on DMZ

Junior Mateus
Level 1
Level 1

Hi everybody,

i' m a new on administration of ASA, i'' ve one appliance ASA 5510, v8.X and asdm 6X

here u have my configuration :

interface Ethernet0/0
description Link To WAN
nameif outside
security-level 0
ip address 212.96.23.186 255.255.255.252
!
interface Ethernet0/1
description Link to LAN(forefront)
nameif inside
security-level 100
ip address 10.20.80.1 255.255.255.252
!
interface Ethernet0/2
description Link to CoreSW (DMZ)
nameif DMZ
security-level 50
ip address 10.70.70.254 255.255.255.0

i have on server ssh (10.70.70.10) on my DMZ .

I wan to enable my external user, i mean outside user to be able to acces to this server wich is in my DMZ for this port ( ssh)

I need  some propositions Script wich can permit me to do this

Thank u in advance

1 Accepted Solution

Accepted Solutions

You don't need to change the server port. It should be like this:

static (DMZ, outside) tcp 212.96.23.x 2022 10.70.70.10 22 netmask 255.255.255.255

What you are saying here is:

Take the tcp connections to ip 212.96.23.x port 2022 and translate them to ip 10.70.70.10 port 22.

Then, the external user should try to ssh obviously to the non-standard port 2022 from the public network.

Regards,

Ian

View solution in original post

4 Replies 4

IAN WHITMORE
Level 4
Level 4

Well the simplest form is to use a static nat and then allow ssh in your ACL. Normally you would "publish" your server on the internet. First you need to reserve and assign a public IP address in your range (if you have one free).

For exmaple:

static (DMZ, outside) 212.96.23.x 10.70.70.10 netmask 255.255.255.255

Then allow ssh in your outside access-list (depending on the name of your access-list):

access-list outside permit tcp any host 10.70.70.10 eq ssh

Of course if your "public" user has a fixed IP address then it would be better to change "any" for his address to be more secure.

If you don't have any spare public IP addresses you can always use port redirection instead.

HTH,

Ian

thank you IAN  for

you answer is true.. suppose that i have just one public Ip wich is in my outside interface

how can i use the PAR ( Port address Redirection) for ssh, because the ASA also use ssh .

I test the script you give me it working but .. is the ASA which respond me on SSH

i change the server port of ssh on 1080 for don't have this conflict port.

i think you second idea it's better for port redirection , how can i used it if my server is 1080 for example

You don't need to change the server port. It should be like this:

static (DMZ, outside) tcp 212.96.23.x 2022 10.70.70.10 22 netmask 255.255.255.255

What you are saying here is:

Take the tcp connections to ip 212.96.23.x port 2022 and translate them to ip 10.70.70.10 port 22.

Then, the external user should try to ssh obviously to the non-standard port 2022 from the public network.

Regards,

Ian

thank u IAN ..i' ll do it like this

Review Cisco Networking for a $25 gift card