Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1409
Views
0
Helpful
8
Replies

PAT ASA 5520

Go to solution
Dario Francesco Vanin
Level 1
Level 1

‎05-07-2012 10:03 PM - edited ‎03-11-2019 04:03 PM

Hi guys,

I have to configure a Cisco ASA 5520. The goal is to forward the traffic arriving to the port 400 of the OUTSIDE interface to the port 22 of a server behind the INTERNAL interface (Ip 192.168.1.1). So far quite easy... at least on every firewall I've configured so far.

To do that, I have performed the following tasks:

1. I have setup the INSIDE interface with security level 100 and OUTSIDE with security level 0.

2. I have created an access rule on the firewall via ADSM 6.4 in order to allow the traffic to pass trought the firewall from OUTSIDE to INSIDE (specifying the source ip, of course).

3. I have created a static NAT rule to forward all the traffic arriving from that particular host and destinated to the OUTSIDE interface (port 400) to be forwarded to the INSIDE interface (port 22).

I expected it to be enough but all the packets are discarded by the implicit incoming rule on the OUTSIDE interface. Can you please help mi find out what's wrong on my configuration?

Thanks in advance,

Dario

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
varrao
Level 10
Level 10
In response to Dario Francesco Vanin

‎05-07-2012 11:10 PM

Nope I dont think so, after going through your requirements, this is what you would need:

access-list OUTSIDE_access_in extended permit ip any interface OUTSIDE eq 400

access-group OUTSIDE_access_in in interface OUTSIDE

static (INTERNAL,OUTSIDE)) tcp interface 400  APVI1 ssh netmask 255.255.255.255

This configuration is for, if anyone on the internet wants to access the server, the request would come on port 400 on outisde interface and woudl get translated to the inside server on port 22. I am not sure what IP is CHECKPOINT_FW?? Since it is not given in the configuration above.

You can try the above and it would work.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Dario Francesco Vanin
Level 1
Level 1

‎05-07-2012 10:11 PM

Please note that the traffic passing through is ssh.

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to Dario Francesco Vanin

‎05-07-2012 10:45 PM

Hi Dario,

You forgot to mention the software version on the ASA, if it is 8.3 or higher, please make sure you allow the private ip of your server on the ACL configured on the OUTSIDE interface, because there is a syntax change in those codes. And also if you can share the configuration that you've done so far for the server.

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
Dario Francesco Vanin
Level 1
Level 1
In response to varrao

‎05-07-2012 10:57 PM

Hi Varun,

The ASA Version is 8.2(5). Here below the part of the configuration we are talking about (created by ADSM):

interface GigabitEthernet0/0

nameif OUTSIDE

security-level 0

ip address 210.193.170.26 255.255.255.248

!

interface GigabitEthernet0/2

nameif INTERNAL

security-level 100

ip address 192.168.1.1 255.255.255.0

!

object-group service MYSERVICE tcp

port-object eq 400

object-group network INT1

access-list OUTSIDE_access_in extended permit ip host CHECKPOINT_FW 192.168.1.0 255.255.255.0

global (OUTSIDE) 1 interface

nat (INTERNAL) 1 192.168.1.0 255.255.255.0

static (OUTSIDE,INTERNAL) tcp APVI1 ssh CHECKPOINT_FW 400 netmask 255.255.255.255

access-group OUTSIDE_access_in in interface OUTSIDE

route OUTSIDE 0.0.0.0 0.0.0.0 CHECKPOINT_FW 1

Does it make sense?

thanks,

Dario

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to Dario Francesco Vanin

‎05-07-2012 11:10 PM

Nope I dont think so, after going through your requirements, this is what you would need:

access-list OUTSIDE_access_in extended permit ip any interface OUTSIDE eq 400

access-group OUTSIDE_access_in in interface OUTSIDE

static (INTERNAL,OUTSIDE)) tcp interface 400  APVI1 ssh netmask 255.255.255.255

This configuration is for, if anyone on the internet wants to access the server, the request would come on port 400 on outisde interface and woudl get translated to the inside server on port 22. I am not sure what IP is CHECKPOINT_FW?? Since it is not given in the configuration above.

You can try the above and it would work.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
Dario Francesco Vanin
Level 1
Level 1
In response to varrao

‎05-07-2012 11:42 PM

Hi Varum,

I have replaced the IP with a generic "CHECKPOINT_FW" because it is a public IP and I cannot risk to put any sensible data of my customer in the internet :-).

I will try your config in a few minutes and I let you know.

Thanks,

Dario

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to Dario Francesco Vanin

‎05-08-2012 12:30 AM

sure i'll wait for your update.

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
Dario Francesco Vanin
Level 1
Level 1
In response to varrao

‎05-08-2012 12:35 AM

It worked perfectly. Just the "eq 400" gives me a syntax error. Now I just have to restrict the access from the port 400 of CHECKPOINT_FW and everything will be perfect.

I've spent all the day with ASDM and I think I will use it only to chack the logs.

Thank you a lot for your help.

Dario

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to Dario Francesco Vanin

‎05-08-2012 12:40 AM

Hey thats good to know, all the best. Let me know if you face any further issues.

Take care,

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card