12-03-2011 03:25 PM - edited 03-11-2019 02:58 PM
Hey guys,
So here is my network.
ASA5505--->Cisco1841--->Cat2960
Code
ASA asa831-k8.bin
Cisco 1841 c1841-adventerprisek9-mz.151-4.M2.bin
Cat 2960 c2960-lanbasek9-mz.122-55.SE1.bin
and here is my dilemma.
I can SSH from the internet to my ASA on default port 22, directly to my public IP. I can SSH from the internet to my Cisco 1841 on port 2001. I can not however, SSH to my Cat 2960. From what i can tell, on the Cat2960 i can't change the default port 22 for SSH to different port, just like i did on the Cisco 1841. I looked to see if I can change the default port for SSH on he ASA, it does not look like this is an option.
The bottom line is that i want to be able to SSH to all three devices from the internet. I only have one public IP. As of now, what i can do is only SSH to the ASA on default port 22 directly to the public IP and Cisco 1841 on port 2001. It appears that changing the default SSH port on Cat 2960 is not an option. It also appears that I can't change the default SSH port on the ASA, if i could, i would and then i should be able to SSH to the Cat 2960 on port 22. No matter what i did on the ASA, it always listens on port 22 for SSH connections.
show asp table socket
TCP 001f549f <<pub IP>>:22 0.0.0.0:* LISTEN
how do i make it listen on different port?
Here is relevent config for SSH for cisco 1841 (port forwarding)
ON ASA
object network ROUTER
host 10.10.1.1
!
access-list ALLOW_FROM_OUTSIDE extended permit tcp any object ROUTER eq 2001
!
object network ROUTER
nat (inside,outside) static interface service tcp 2001 2001
!
access-group ALLOW_FROM_OUTSIDE in interface outside
!
ON CISCO 1841
ip ssh port 2001 rotary 1
line vty 0 4
rotary 1
Solved! Go to Solution.
12-03-2011 05:30 PM
Hello Sebastian,
Lest say Switch Ip address you are going to ssh to is 192.168.1. 2
So the configuration should be like this.
object-network Switch
host 192.168.1.2
Object-service Real_ssh
service tcp source eq 22
Object-service Mapped_ssh
service tcp source eq 2222
access-list ALLOW_FROM_OUTSIDE permit tcp any host 192.168.1.2 eq 2222
nat (inside,outside) source static Switch Outside_IP_ASA interface tcp Real_ssh Mapped_ssh
This is what you are looking to do right?
Have a good one.
Please rate helpful posts
Julio
12-03-2011 05:30 PM
Hello Sebastian,
Lest say Switch Ip address you are going to ssh to is 192.168.1. 2
So the configuration should be like this.
object-network Switch
host 192.168.1.2
Object-service Real_ssh
service tcp source eq 22
Object-service Mapped_ssh
service tcp source eq 2222
access-list ALLOW_FROM_OUTSIDE permit tcp any host 192.168.1.2 eq 2222
nat (inside,outside) source static Switch Outside_IP_ASA interface tcp Real_ssh Mapped_ssh
This is what you are looking to do right?
Have a good one.
Please rate helpful posts
Julio
12-03-2011 07:05 PM
Hey there and thanks for your suggestions.
Here is what i currently have configured and i'm able to access my Cat2960 from the Internet via SSH
object network SWITCH
host 10.10.1.11
!
object service REAL_SSH
service tcp source eq ssh
!
object service MAPPED_SSH_TO_SWITCH
service tcp source eq 2002
!
access-list ALLOW_FROM_OUTSIDE extended permit tcp any object SWITCH eq ssh
!
nat (inside,outside) source static SWITCH interface service REAL_SSH MAPPED_SSH_TO_SWITCH
As you can see, couple of things are different comparing to your post. Mainly, the access list "eq ssh" and not "eq 2002"
My understanding is that i neded to come into the ASA on port 22 and then be forwarded to port 2002. When my access list was configured with "eq 2002" i saw the following error message,
Dec 03 2011 19:33:35: %ASA-4-106023: Deny tcp src outside:174.52.54.128/60556 dst inside:10.10.1.11/22 by access-group "ALLOW_FROM_OUTSIDE" [0x0, 0x0]
and of course, i was trying to ssh to <
When i changed the ACL to "eq ssh" all started working.
Thanks for your suggestions. It took me half a day to figure it out, but it is now done and working!!! Awesome
12-03-2011 07:50 PM
Hello Sebastian,
It is great to hear that everything is working fine now =)
Wow.I did not take enough attention to that ACL when I wrote down. Of course it got to be pointing to the real destination port, this because since 8.3 the Access list entries are taken or checked after the Nat statements.
Hope this helps and again sorry for the mistake lol.
Have a good one
Julio!!
09-04-2012 09:12 PM
Hello,
I was wondering if you can assist me with this issue again. So here is what happened. The issue described above has been resolved long time ago but then also config has changed. I have not saved the config and i'm unable to restore the SSH access to the Cisco 1841. Here is the set up.
ASA5505--->Cisco1841--->Cat2960
Code
ASA asa831-k8.bin
Cisco 1841 c1841-adventerprisek9-mz.151-4.M2.bin
Cat 2960 c2960-lanbasek9-mz.122-55.SE1.bin
Lets start with SSH issue to the router from the outside word. Here is my current config on the ASA for port forwarding so the router can be accessed via SSH.
relevant config on the router
ip ssh port 2001 rotary 1
line vty 0 4
rotary 1
relevant config on the asa
object network ROUTER
host 10.10.1.1
!
object service REAL_SSH
service tcp source eq ssh
!
object service MAPPED_SSH_TO_ROUTER
service tcp source eq 2001
!
access-list ALLOW_FROM_OUTSIDE extended permit tcp any object ROUTER eq ssh
!
nat (inside,outside) source static ROUTER interface service REAL_SSH MAPPED_SSH_TO_ROUTER
!
Here is my understanding of what should happen with the above config. as i ssh to the outside (public) ip port 2001, the NAT is checked and then ACL and routing decision is made. When the above config is applied, and i attempt to test my SSH access to Cisco 1841 i see no hits on the NAT rule or the ACL, the log however has the following message,
"TCP request discarded from 174.232.132.244/4653 to outside:50.73.41.25/2001"
Any thoughts?
Thanks in advance.
09-04-2012 09:36 PM
Hello Sebastian,
Very good you understood the configuration from last time.
Can you do the following:
packet-tracer input outside tcp 8.8.8.8 1025 outside_ip 2001
Remember to rate all the helpful posts
09-05-2012 06:36 AM
Hi and thanks for quick response. Sorry, i mean to include the output of the packet tracer with my original post, just fogot to do it.
Here it is,
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in <
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
as you can see, the flow is being dropped by ACL. I'm not sure why.
Here is a bit more config for additional NAT that i have on this ASA
nat (outside,outside) source dynamic SSL_VPN_CLIENTS interface
nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static SSL_VPN_CLIENTS SSL_VPN_CLIENTS
nat (inside,outside) source static ROUTER interface service REAL_SSH MAPPED_SSH_TO_ROUTER
nat (inside,outside) dynamic interface
the VPN NAT works.
the above mentioned ACL, ALLOW_FROM_OUTSIDE in addition to the this line
access-list ALLOW_FROM_OUTSIDE line 3 extended permit tcp any object ROUTER eq ssh
only allows ICMP, nothing else is allowed.
Thanks
09-05-2012 09:34 AM
Hello Sebastian,
Make sure you can ping the router ip over the inside interface in order to check the routing.
A show route will help us.
Regards,
09-05-2012 09:42 AM
hello,
so yes, all of that looks good as well. Sorry for not posting it before.
show route inside
Gateway of last resort is x.x.x.x to network 0.0.0.0
O E2 10.10.1.0 255.255.255.0 [110/20] via 10.10.200.2, 1193:02:47, inside
O E2 10.10.2.0 255.255.255.0 [110/20] via 10.10.200.2, 1193:02:47, inside
O E2 10.10.3.0 255.255.255.0 [110/20] via 10.10.200.2, 1193:02:47, inside
O E2 10.0.0.1 255.255.255.255 [110/20] via 10.10.200.2, 1193:02:47, inside
C 10.10.200.0 255.255.255.252 is directly connected, inside
!
ping 10.10.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
09-05-2012 12:15 PM
Hello,
Can you post the entire configuration please
09-05-2012 05:20 PM
Hi,
Please see below.
fw-home01# show run
: Saved
:
ASA Version 8.3(1)
!
hostname fw-home01
domain-name sebastian.com
enable xxxxxxx
passwd xxxxxxx
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.200.1 255.255.255.252
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
speed 100
duplex full
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone MTS -7
clock summer-time MST recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.2
domain-name sebastian.com
same-security-traffic permit intra-interface
object network PAT_ANY
subnet 0.0.0.0 0.0.0.0
object network LOCAL_LAN
subnet 10.10.0.0 255.255.0.0
object network SSL_VPN_CLIENTS
subnet 172.16.16.0 255.255.255.0
object network ROUTER
host 10.10.1.1
object service MAPPED_SSH_TO_ROUTER
service tcp source eq 2001
object service REAL_SSH
service tcp source eq ssh
access-list ALLOW_FROM_OUTSIDE extended permit tcp any object ROUTER eq ssh
access-list NO_NAT_VPN extended permit ip 10.10.0.0 255.255.0.0 172.16.16.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 8092
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSL_VPN_CLIENTS 172.16.16.10-172.16.16.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat (outside,outside) source dynamic SSL_VPN_CLIENTS interface
nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static SSL_VPN_CLIENTS SSL_VPN_CLIENTS
nat (inside,outside) source static ROUTER interface service REAL_SSH MAPPED_SSH_TO_ROUTER
!
object network PAT_ANY
nat (inside,outside) dynamic interface
access-group ALLOW_FROM_OUTSIDE in interface outside
!
router ospf 1
network 10.10.200.0 255.255.255.252 area 0
log-adj-changes
default-information originate
!
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
no crypto isakmp nat-traversal
no vpn-addr-assign dhcp
telnet 10.10.2.0 255.255.255.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 204.123.2.5
ntp server 204.34.198.40
webvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.5.6005-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSL_CLIENT_POLICY internal
group-policy SSL_CLIENT_POLICY attributes
dns-server value 8.8.8.8 4.2.2.2
vpn-tunnel-protocol svc
address-pools value SSL_VPN_CLIENTS
username xxxxxxx
username xxxxxxx
tunnel-group SSL_CLIENT_PROFILE type remote-access
tunnel-group SSL_CLIENT_PROFILE general-attributes
default-group-policy SSL_CLIENT_POLICY
tunnel-group SSL_CLIENT_PROFILE webvpn-attributes
group-alias HOME_VPN enable
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect http
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f8d03501537180042df91135e87d3b40
09-05-2012 05:47 PM
Hello Sebastian,
What I though! A routing issue
object network ROUTER
host 10.10.1.1
And your ASA interface is on the subnet
ip address 10.10.200.1 255.255.255.252
The ASA does not know how to get to the 10.10.1.0 subnet
Remember to rate all the helpful posts.
09-05-2012 06:53 PM
Hi there,
so routing should not be a problem, check out the output below. The asa knows of the destination 10.10.1.1 via OSPF from the Cisco 1841, it is 10.10.1.0/24 route. As you can see below, it can also ping the destination from its directly connected interface, 10.10.200.1.
show route inside
Gateway of last resort is x.x.x.x to network 0.0.0.0
O E2 10.10.1.0 255.255.255.0 [110/20] via 10.10.200.2, 1193:02:47, inside
O E2 10.10.2.0 255.255.255.0 [110/20] via 10.10.200.2, 1193:02:47, inside
O E2 10.10.3.0 255.255.255.0 [110/20] via 10.10.200.2, 1193:02:47, inside
O E2 10.0.0.1 255.255.255.255 [110/20] via 10.10.200.2, 1193:02:47, inside
C 10.10.200.0 255.255.255.252 is directly connected, inside
!
ping 10.10.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
09-05-2012 11:41 PM
Hello Sebastian,
Thanks for the output, I see what you mean...
Are you sure this is the packet tracer you are running?
packet-tracer input outside tcp 8.8.8.8 1025 outside_ip 2001
I dont see anything wrong on the configuration
Regards
09-06-2012 05:32 AM
Hi,
I don't see anything wrong with the config either, and yes the packet tracer is what i'm running.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide