cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1591
Views
0
Helpful
8
Replies

PAT ASA 5520

Hi guys,

I have to configure a Cisco ASA 5520. The goal is to forward the traffic arriving to the port 400 of the OUTSIDE interface to the port 22 of a server behind the INTERNAL interface (Ip 192.168.1.1). So far quite easy... at least on every firewall I've configured so far.

To do that, I have performed the following tasks:

1. I have setup the INSIDE interface with security level 100 and OUTSIDE with security level 0.

2. I have created an access rule on the firewall via ADSM 6.4 in order to allow the traffic to pass trought the firewall from OUTSIDE to INSIDE (specifying the source ip, of course).

3. I have created a static NAT rule to forward all the traffic arriving from that particular host and destinated to the OUTSIDE interface (port 400) to be forwarded to the INSIDE interface (port 22).

I expected it to be enough but all the packets are discarded by the implicit incoming rule on the OUTSIDE interface. Can you please help mi find out what's wrong on my configuration?

Thanks in advance,

Dario

1 Accepted Solution

Accepted Solutions

Nope I dont think so, after going through your requirements, this is what you would need:

access-list OUTSIDE_access_in extended permit ip any interface OUTSIDE eq 400

access-group OUTSIDE_access_in in interface OUTSIDE

static (INTERNAL,OUTSIDE)) tcp interface 400  APVI1 ssh netmask 255.255.255.255

This configuration is for, if anyone on the internet wants to access the server, the request would come on port 400 on outisde interface and woudl get translated to the inside server on port 22. I am not sure what IP is CHECKPOINT_FW?? Since it is not given in the configuration above.

You can try the above and it would work.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

8 Replies 8

Please note that the traffic passing through is ssh.

Hi Dario,

You forgot to mention the software version on the ASA, if it is 8.3 or higher, please make sure you allow the private ip of your server on the ACL configured on the OUTSIDE interface, because there is a syntax change in those codes. And also if you can share the configuration that you've done so far for the server.

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

Hi Varun,

The ASA Version is 8.2(5). Here below the part of the configuration we are talking about (created by ADSM):

interface GigabitEthernet0/0

nameif OUTSIDE

security-level 0

ip address 210.193.170.26 255.255.255.248

!

interface GigabitEthernet0/2

nameif INTERNAL

security-level 100

ip address 192.168.1.1 255.255.255.0

!

object-group service MYSERVICE tcp

port-object eq 400

object-group network INT1

access-list OUTSIDE_access_in extended permit ip host CHECKPOINT_FW 192.168.1.0 255.255.255.0

global (OUTSIDE) 1 interface

nat (INTERNAL) 1 192.168.1.0 255.255.255.0

static (OUTSIDE,INTERNAL) tcp APVI1 ssh CHECKPOINT_FW 400 netmask 255.255.255.255

access-group OUTSIDE_access_in in interface OUTSIDE

route OUTSIDE 0.0.0.0 0.0.0.0 CHECKPOINT_FW 1

Does it make sense?

thanks,

Dario

Nope I dont think so, after going through your requirements, this is what you would need:

access-list OUTSIDE_access_in extended permit ip any interface OUTSIDE eq 400

access-group OUTSIDE_access_in in interface OUTSIDE

static (INTERNAL,OUTSIDE)) tcp interface 400  APVI1 ssh netmask 255.255.255.255

This configuration is for, if anyone on the internet wants to access the server, the request would come on port 400 on outisde interface and woudl get translated to the inside server on port 22. I am not sure what IP is CHECKPOINT_FW?? Since it is not given in the configuration above.

You can try the above and it would work.

Thanks,

Varun

Thanks,
Varun Rao

Hi Varum,

I have replaced the IP with a generic "CHECKPOINT_FW" because it is a public IP and I cannot risk to put any sensible data of my customer in the internet :-).

I will try your config in a few minutes and I let you know.

Thanks,

Dario

sure i'll wait for your update.

Varun

Thanks,
Varun Rao

It worked perfectly. Just the "eq 400" gives me a syntax error. Now I just have to restrict the access from the port 400 of CHECKPOINT_FW and everything will be perfect.

I've spent all the day with ASDM and I think I will use it only to chack the logs.

Thank you a lot for your help.

Dario

Hey thats good to know, all the best. Let me know if you face any further issues.

Take care,

Varun

Thanks,
Varun Rao
Review Cisco Networking for a $25 gift card