12-03-2011 03:25 PM - edited 03-11-2019 02:58 PM
Hey guys,
So here is my network.
ASA5505--->Cisco1841--->Cat2960
Code
ASA asa831-k8.bin
Cisco 1841 c1841-adventerprisek9-mz.151-4.M2.bin
Cat 2960 c2960-lanbasek9-mz.122-55.SE1.bin
and here is my dilemma.
I can SSH from the internet to my ASA on default port 22, directly to my public IP. I can SSH from the internet to my Cisco 1841 on port 2001. I can not however, SSH to my Cat 2960. From what i can tell, on the Cat2960 i can't change the default port 22 for SSH to different port, just like i did on the Cisco 1841. I looked to see if I can change the default port for SSH on he ASA, it does not look like this is an option.
The bottom line is that i want to be able to SSH to all three devices from the internet. I only have one public IP. As of now, what i can do is only SSH to the ASA on default port 22 directly to the public IP and Cisco 1841 on port 2001. It appears that changing the default SSH port on Cat 2960 is not an option. It also appears that I can't change the default SSH port on the ASA, if i could, i would and then i should be able to SSH to the Cat 2960 on port 22. No matter what i did on the ASA, it always listens on port 22 for SSH connections.
show asp table socket
TCP 001f549f <<pub IP>>:22 0.0.0.0:* LISTEN
how do i make it listen on different port?
Here is relevent config for SSH for cisco 1841 (port forwarding)
ON ASA
object network ROUTER
host 10.10.1.1
!
access-list ALLOW_FROM_OUTSIDE extended permit tcp any object ROUTER eq 2001
!
object network ROUTER
nat (inside,outside) static interface service tcp 2001 2001
!
access-group ALLOW_FROM_OUTSIDE in interface outside
!
ON CISCO 1841
ip ssh port 2001 rotary 1
line vty 0 4
rotary 1
Solved! Go to Solution.
09-06-2012 09:13 AM
Hello Sebastian,
Well time for captures...
capture capout interface outside match tcp host_test host interface_outside eq 2100
capture capin interface inside match tcp host_test host router_ip eq 21
cap asp type asp-drop all circular-buffer
The host_test is the one you use to attempt to connect., after you attemtp to connect provide me the following:
show cap capin
show cap capout
show cap asp | include host_test
Regards
09-06-2012 05:38 PM
Hi,
So yeah, i'm capturing the traffic on the outside interface but i see nothing being caputered on the inside interface, which makes sens because the flow is denied on the outside, for some reason. Here are the outputs.
capture capou interface outside match tcp host 65.130.164.80 host <
capture capout type raw-data interface outside [Capturing - 254 bytes]
match tcp host 65.130.164.80 host <
!
capture capin interface inside match tcp host 65.130.164.80 host 10.10.1.1 eq 22
capture capin type raw-data [Capturing - 0 bytes]
match tcp host 65.130.164.80 host 10.10.1.1 eq ssh
!
cap asp type asp-drop all circular-buffer
show cap asp | include 65.130.164.80
1: 17:38:10.267228 802.1Q vlan#2 P0 65.130.164.80.49358 > <
2: 17:38:13.269944 802.1Q vlan#2 P0 65.130.164.80.49358 > <
3: 17:38:19.270585 802.1Q vlan#2 P0 65.130.164.80.49358 > <
162: 18:32:10.564103 802.1Q vlan#2 P0 65.130.164.80.49459 > <
163: 18:32:13.561021 802.1Q vlan#2 P0 65.130.164.80.49459 > <
09-06-2012 09:19 PM
Hello Sebastian,
Loved the last one, flow is denied by configured rule,
Gooood what are we misiiiiiing.....
object service MAPPED_SSH_TO_ROUTER
service tcp source eq 2001
object service REAL_SSH
service tcp source eq ssh
object network ROUTER
host 10.10.1.1
access-list ALLOW_FROM_OUTSIDE extended permit tcp any object ROUTER eq ssh
access-group ALLOW_FROM_OUTSIDE in interface outside
nat (inside,outside) source static ROUTER interface service REAL_SSH MAPPED_SSH_TO_ROUTER
Man.. I mean I think is time to save the configuration and do a reload.
Can you do that and let me know how it goes
Remember to rate all the answers, for the community that is as important as a thanks
Julio
09-07-2012 10:53 AM
hey,
help me review this, but i do have the right config in there. Also, i did do the reload last night, same result, no joy with the same output for the captures as well.
Fun one, isn't it?
just to double check, here is the config.
object service MAPPED_SSH_TO_ROUTER
service tcp source eq 2001
!
object service REAL_SSH
service tcp source eq ssh
!
object network ROUTER
host 10.10.1.1
!
nat (inside,outside) source static ROUTER interface service REAL_SSH MAPPED_SSH_TO_ROUTER
!
access-list ALLOW_FROM_OUTSIDE extended permit tcp any object ROUTER eq ssh
!
access-group ALLOW_FROM_OUTSIDE in interface outside
09-07-2012 11:11 AM
Hello Sebastian,
That is correct, the router will expect connections on port 21 but the ASA will receive it on it's outside interface on port 2001....
Please review your inbox.
Regards,
Julio
09-08-2012 09:09 AM
not sure what is going on as of right now. I dont think this is a code issue, but i may just give it a shot and upgrade.
09-08-2012 12:05 PM
Check your inbox
09-08-2012 12:11 PM
no sure what you mean?
09-08-2012 04:19 PM
Private message in here
09-25-2012 09:17 PM
Hi, did you have a chance to check your private message?
Sent from Cisco Technical Support iPhone App
09-28-2012 04:50 PM
sorry for interrupting this thread, but is this also a procedure to use if you want ssh access from outside to inside / dmz and use port 2222 or 22222 or something like that?
09-30-2012 04:50 PM
No interruption here :). Thanks for joining the thread. So yeah, sounds like you are trying to accomplish the same thing as I'm.
As of now, my port forwarding does not work. Give it a shot if you like, with similar config and see what results you get. I'm pretty sure that the config you find in this thread worked for me some time ago, then I removed and just recently wanted to implement it again, no joy as of now though! I did not save my previous config, so there is a chance what's in this thread is incorrect. At the same time, my config seems to be pretty accurate if you compare to recommended config for port forwarding.
Sent from Cisco Technical Support iPhone App
10-01-2012 08:54 PM
I did resolve my issue, my nat was causing me grief. I will post the config here in couple of days
Sent from Cisco Technical Support iPhone App
10-13-2012 01:46 PM
as i have mentioned before, my nat config was causing me problems. Here is the config that is now working. i have also added port forwarding for couple of other devcies as well as i passed gre through the ASA. I hope this will help in future.
object network PAT_ANY
subnet 0.0.0.0 0.0.0.0
!
object network LOCAL_LAN
range 10.10.1.0 10.10.3.255
!
object network SSL_VPN_CLIENTS
subnet 172.16.16.0 255.255.255.0
!
object network ROUTER
host 10.10.1.1
!
object service REAL_SSH
service tcp source eq ssh
!
object service MAPPED_SSH_TO_ROUTER
service tcp source eq 2001
!
object network SWITCH
host 10.10.1.11
!
object service MAPPED_SSH_TO_SWITCH
service tcp source eq 2002
!
object network RDP
host 10.10.2.21
!
object service REAL_RDP
service tcp source eq 3389
!
object service MAPPED_RDP_TO_RDP
service tcp source eq 3389
!
object network ACCESS_POINT_SSH
host 10.10.1.20
!
object service MAPPED_SSH_TO_ACCESS_POINT_SSH
service tcp source eq 2003
!
object network GRE
host 10.10.200.2
!
!
access-list ALLOW_OUTSIDE_IN extended deny ip host 222.76.244.242 any
access-list ALLOW_OUTSIDE_IN extended deny ip host 202.117.3.104 any
access-list ALLOW_OUTSIDE_IN extended permit ip host 66.220.18.42 object IPV6_HOST
access-list ALLOW_OUTSIDE_IN extended permit tcp any object SWITCH eq ssh
access-list ALLOW_OUTSIDE_IN extended permit tcp any object ROUTER eq ssh
access-list ALLOW_OUTSIDE_IN extended permit tcp any object RDP eq 3389 inactive
access-list ALLOW_OUTSIDE_IN extended permit gre any object GRE
!
access-group ALLOW_OUTSIDE_IN in interface outside
!
nat (inside,outside) source static ROUTER interface service REAL_SSH MAPPED_SSH_TO_ROUTER
nat (inside,outside) source static SWITCH interface service REAL_SSH MAPPED_SSH_TO_SWITCH
nat (inside,outside) source static RDP interface service REAL_RDP MAPPED_RDP_TO_RDP inactive
nat (inside,outside) source static HTTPS interface service REAL_HTTPS MAPPED_HTTPS_TO_HTTP
nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static SSL_VPN_CLIENTS SSL_VPN_CLIENTS no-proxy-arp route-lookup
nat (outside,outside) source dynamic SSL_VPN_CLIENTS interface
!
object network PAT_ANY
nat (inside,outside) dynamic interface
object network GRE
nat (inside,outside) static interface
object network IPV6_HOST
nat (inside,outside) static interface
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide