Hi MHM Cisco World,

Thanks for the reply! Unfortunately that didn't work, as the flag after tcp is supposed to be the "real port", which would be 22, then the "mapped port", which is 2222. When I try to reverse the nat rule, I get this error:

asa(config-network-object)# nat (inside,outside) static interface service tcp 2222 ssh
ERROR: NAT unable to reserve ports.

Also note that when I try to ssh to 192.168.1.6:2222 with the PC, the untranslate_hits increases, as well as the acl:

before sshing to 192.168.1.6:2222 with PC:
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static r2 interface service tcp ssh 2222
translate_hits = 0, untranslate_hits = 33

asa(config-network-object)# show access-list r2_ssh_in
access-list r2_ssh_in line 1 extended permit tcp any host 172.16.0.2 eq ssh (hitcnt=40) 0xc4cc05ba
---

after sshing to 192.168.1.6:2222 with PC:
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static r2 interface service tcp ssh 2222
translate_hits = 0, untranslate_hits = 34

asa(config-network-object)# show access-list r2_ssh_in
access-list 2r_ssh_in line 1 extended permit tcp any host 172.16.0.2 eq ssh (hitcnt=41) 0xc4cc05ba

When I run ssh -l admin -p 2222 203.0.113.2 on R1, both hit counts also increase, but the ssh connection actually works. It feels like something on the asa is blocking the connection from the 192.168.1.0/24 network, but I'm not sure. I don't understand why the nat rules/acl's work when R1 ssh's to 203.0.113.2, but when the PC ssh's to 192.168.1.6:2222, which then gets redirected to 203.0.113.2 from my isr4321 router that for some reason does not work. Packet tracer using ASDM also suggests that theres nothing wrong with my rules and that the asa should allow the connection, so I'm a bit stumped. Is there something in the ASA that blocks port forwards originating from other routers?

Another possible issue I thought that maybe I need to nat the inbound redirect to somehow use 203.0.113.1, or 192.168.1.6 as the source IP, so the origin doesnt look like its coming from 192.168.1.15? (192.168.1.15 is the IP of the PC, 192.168.1.6 is g0/1 on the isr4321, when I ssh from the PC to 192.168.1.6:2222, the packet looks like its coming from 192.168.1.15, it does not nat to the routers IP btw).

Thanks

Sorry I confusing about port server use. 

If it use ssh not 2222 then port in NAT correct.

BUT

untranslate_hits = 34 <<- this meaning that there NAT work but there is conflicts with other nat 

Try using 

Nat(in, out) source statics object-group object-group service tcp ssh 2222 destination any 

Hi MHM Cisco World,

Unfortunately that didn't fix it either. I have included a diagram below that hopefully shows the issue a little clearer.  When I ssh from the router using ssh -l admin -p 2222 203.0.113.2  the redirect works, but ssh'ing to 192.168.1.2:2222 from the PC to R1 the redirection does not work (as shown by the red and green lines in the photo). I'm guessing there's either a routing issue because R2 or the ASA doesn't know how to get back to 192.168.1.28, or the ASA may be blocking the connection from 192.168.1.28 because its an outside source, but allowing R1 at 203.0.113.1 because its directly connected? Thanks

Can i see 

Show run nat 

Here you go:

asa# show running-config nat
!
object network r2
  nat (inside,outside) static interface service tcp ssh 2222
object network inside-172.16.0.0
  nat (inside,outside) dynamic interface

Show nat detial 

(Object NAT) dynamic must be section 2 of NAT order 

and

(Manaul NAT) static nat must be section 1 of NAT order 

Can you share output 

More info as I suggest to change type of NAT but may be you confuse.

Network object NAT: You define NAT as a parameter for a network object.

Example:
object network WEB-SERVER-SSH
host 172.16.30.15
nat (inside,outside) static 72.6.6.15 service tcp 22 2222

Manual NAT: In this case, NAT is not a parameter of the network object, but the network object or group is a parameter of the NAT configuration.

Example:
object network SERVER_X
host 172.16.30.100

object network SERVER_X_PUBLIC
host 100.1.1.1

nat (inside,outside) source static SERVER_X SERVER_X_PUBLIC

Hi MHM Cisco World,

Here is the `show nat detail` output:

asa# show nat detail

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static r2 interface service tcp ssh 2222
translate_hits = 0, untranslate_hits = 3
Source - Origin: 172.16.0.2/32, Translated: 203.0.113.2/29
Service - Protocol: tcp Real: ssh Mapped: 2222
2 (inside) to (outside) source dynamic inside-172.16.0.0 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 172.16.0.0/29, Translated: 203.0.113.2/29

Thanks for your continued help with this!

Please share packet tracer after add detail in end of command 

Also 

ASA# capture capin interface inside match ip serverIP 255.255.255.255
 Any
After end of capture some traffic when you ssh to server do

No capture capin
To stop capture 

Share also capture as I mention above 

Hi MHM,

I will gather the capture information and paste it here very soon. However, I am pretty sure the issue is because of these "Deny TCP (no connection)" dropped packets from the asa. See my screenshot below from when I tried to ssh from my PC to 192.168.1.6:2222 (which should port forward as 192.168.1.6:2222=>203.0.113.2:2222=>172.16.0.2:22 if you recall):



So it looks to me that the first SYN packet gets to R2 at 172.16.0.2, R2 then tries to respond back to the SYN with a SYN ACK, but the firewall drops it. R2 is configured to use 172.16.0.1 as its default gateway and default route, which is the firewalls inside interface.

Server not use 22 it use 545

So you need to change NAT to be 

....545 2222

Do this and check again.

MHM

Hi MHM & Aref,

The router is choosing that random source port, I'm not controlling it. How can I tell R2 to use the correct source port? It's just a ISR4331 with ssh open, not much routing or nat rules on it at the moment. 

Hi MHM,
I took your advise and simply changed the port the router is listening on rather than trying to get the port forward from 2222 => 22 working. It appears that we simply can't control the source port the ISR will decide to use in that scenario. Thanks so much for your help throughout this thread!