Hello,
My topology is roughly:
[PC]---<R1>---<ASA>----<R2>
The port forwarding functionality I want to achieve is:
- From my pc @192.168.1.15: ssh 192.168.1.6:2222 =>(redirect) 203.0.113.2:2222 =>(redirect) 172.16.0.2:22
I am trying to ssh from my PC connected to R1, over port 2222, and have it forward through the ASA to port 22 on R2. The config I have shown below does work from the R1's cli ssh'ing to the ASA's IP 203.0.113.2 on port 2222. However when I try to use my PC and connect to port 192.168.1.6:2222, the connection times out. When I enable debug on the ASA, I do see the ssh session get created and it seems to hit the nat/acl, but then there is no other logs except for the disconnect/teardown a minute or so later. I also ran packet tracer from the 192.168.0.1/24 and 203.0.113.0/30 networks to 203.0.113.2:2222, and according to packet tracer it should allow the packets and not drop them
R1:
- outside g0/0: 192.168.1.6
- inside g0/1: 203.0.113.1
ASA:
- outside g1/1: 203.0.113.2
- inside g1/2: 172.16.0.1
R2:
- outside g0/0: 172.16.0.2
- inside g0/1: 172.16.1.1
On R1, I have this nat rule:
ip nat inside source static tcp 203.0.113.2 2222 interface GigabitEthernet0/0/0 2222
On the ASA, I have these relevent configs:
object network r2
host 172.16.0.2
nat (inside,outside) static interface service tcp ssh 2222
access-list r2_ssh_in extended permit tcp any host 172.16.0.2 eq ssh
access-group r2_ssh_in in interface outside
Any idea why the port forward rule on the ASA works using the ssh client on R1 but not from the PC? The two routers have had other port forwarding rules in place before the ASA was introduced in between them, and that all worked fine before. Do I need an ACL on the firewall to allow the 192.168.1.0/24 network?
Thanks!
