07-23-2014 09:05 PM - edited 03-11-2019 09:31 PM
07-23-2014 11:27 PM
Hi,
The NAT configurations seems odd to me. Are you just trying to configure a Static NAT for a server and allow SSH connections to that server?
If so then the above configuration seems unideal for the situation. You dont really need to configure a Manual NAT / Twice NAT to achieve that. You can easily do it with a simple Auto NAT / Network Object NAT configurations
Here is an example
object network SERVER
host <internal server ip>
nat (dmz,outside) static <public server ip>
And you use the above "object" in the ACL as the destination when you allow traffic.
Notice that both the "host" statement and the "nat" statement are configured under the "object".
Also the error message that you are getting is strange. Almost seems to suggest that this public IP address is in use in some PAT configuration? Do you use it as a Dynamic PAT IP address for the users?
If you instead want to configure a Static PAT (Port Forward) you can modify the above NAT configuration a bit to achieve that too. The question is though are you using a separate public IP address (if you have multiple) or are you using the one configured on your ASAs external interface?
Separate public IP address with Static PAT
object network SERVER-SSH
host <internal server ip>
nat (dmz,outside) static <public server ip> service tcp 22 22
ASA interface public IP address with Static PAT
object network SERVER-SSH
host <internal server ip>
nat (dmz,outside) static interface service tcp 22 22
With the interface option I would urge you to check your current setup before configuring it. If you manage the ASA with SSH from the Internet then you naturally cant use the ASA interface IP address and the port TCP/22. You could avoid that with using port like TCP/222 as the mapped port
object network SERVER-SSH
host <internal server ip>
nat (dmz,outside) static interface service tcp 22 222
Hope this helps :)
- Jouni
07-24-2014 12:16 AM
Hi,
You can modify your NAT like this and test, it should work.
object network ssh_server
host 10.3.202.44
nat (dmz,outside) static 198.73.32.44
Regards
Karthik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide