Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
412
Views
0
Helpful
2
Replies

NAT takes me to the wrong place...

solefald
Level 1
Level 1

‎12-16-2015 02:16 PM - edited ‎03-12-2019 12:02 AM

Hello, 

We have a 5555-x with multiple interfaces. Our Outside interface and DMZ interfaces have routable IP addresses and DMZ subnet is routed via IP address of the outside interface. 

Stripped for readability.

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 123.123.6.243 255.255.255.248

interface GigabitEthernet0/1
nameif inside
security-level 50
ip address 192.168.50.4 255.255.255.0


interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 123.123.27.129 255.255.255.224

object-group network newprod-hosts
network-object host 123.123.27.134

route inside 192.168.60.0 255.255.255.0 192.168.50.1 1

I am trying to PAT  123.123.27.134 port 22 to 192.168.60.20 port 22

object network inside-ssh-host
host 192.168.60.20

nat (inside,dmz) static 123.123.27.134 service tcp ssh ssh

access-list OUTSIDE extended permit tcp any host 123.123.27.134 eq ssh

However, when I do that, and try to telnet to port 22 on 123.123.27.134  I end up on a server that does not even belong to us and SSH version that I do not expect.  Funny thing is, If i remove the ACL listed above, I can no longer access that port, so it is obvious that our ASA is doing something strange..... 

% telnet 123.123.27.134 22
Trying 123.123.27.134...
Connected to www.<DOMAIN THAT DOES NOT BELONG TO US>.com.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.3
^]

Am I doing something wrong here, or do we need to contact our upstream provider to figure out what is happening there?

Labels:
0 Helpful
2 Replies 2

Shivapramod M
Level 1
Level 1

‎12-16-2015 04:55 PM

Hi,

Your NAT configuration is correct. But I see an error in the ACL configuration. Since you are above version 8.3 the access list should have the private IP address not the mapped IP. So Ideally if you do not have any other ACL to permit this the ASA should drop the packet.

access-list OUTSIDE extended permit tcp any host 192.168.60.20 eq 22

You can run the packet tracer to check the same.

Second thing is I do not think the traffic is getting forwarded to the ASA if you are accessing the wring domain name when you do the SSH.

You can take the capture on the outside interface and do the test.

cap capin int outside match tcp host <source IP> host 123.123.27.134 eq 22

Once the SSH test is done you can run  "show cap capin" to check the capture. If you do not see any packets from your PC IP then it is not reaching the firewall.

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

0 Helpful

Akshay Rastogi
Cisco Employee
Cisco Employee

‎12-17-2015 07:08 AM

Hi,

I could see that the NAT statement related to inside server ip is between Inside and DMZ. I am not sure how you are accessing it from Outside. Could you please share other NAT statements related to DMZ - Outside and Inside-Outside . That could be reason that you are being redirected to wrong subnet.

Also as Shivpramod has mentioned, you are using post 8.3 versions. Therefore you need to allow the traffic to the real ip address of the NAT statement instead of mapped ip.

Use the packet-tracer as mentioned by Shiv to check the packet-flow.

Hope it helps.
Regards,

Akshay Rastogi

Remember to rate helpful posts.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card