At least, it's far too

Rodrigo Fialho · ‎09-05-2016

Hi,

I would like to know the best way to do a NAT into ssh port:

200.X.X.X ----> 172.16.255.254 ----> 192.168.3.10

OUTSIDE DMZ INSIDE

object network 200.X.X.X
host 200.X.X.X

object network 172.16.255.254
host 172.16.255.254

object network 192.168.3.10
host 192.168.3.10

object service 22
service tcp source eq ssh

nat (any,any) source static 172.16.255.254 200.X.X.X destination static 192.168.3.10 192.168.3.10 service 22 22

Is this way correct?

Karsten Iwen · ‎09-05-2016

At least, it's far too complex. This is how it can work:

object network SERVER
 host 192.168.3.10
 nat (inside,outside) static 172.16.255.254 service tcp 22 22
!
access-list OUTSIDE-IN permit tcp host 200.x.x.x object SERVER eq 22

Rodrigo Fialho · ‎09-05-2016

Hi Karsten,

Thank you for your answer.

But does it work withou ACL, just NAT?

Karsten Iwen · ‎09-05-2016

Unless you haven't configured something really strange, you need a matching ACL-line because you are communicating from a lower to a higher security level. That is denied by default.

Rodrigo Fialho · ‎09-07-2016

That way it has not worked:

object network SERVER
 host 192.168.3.10
 nat (inside,outside) static 172.16.255.254 service tcp 22 22
!
access-list OUTSIDE-IN permit tcp host 200.x.x.x object SERVER eq 22

So it has worked!!!

object network SERVER
 host 192.168.3.10
 nat (inside,outside) static 200.x.x.x service tcp 22 22
!
access-list OUTSIDE-IN permit tcp host 200.x.x.x object SERVER eq 22

NAT 9.4(1)