cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5528
Views
5
Helpful
6
Replies

Port Forwarding in ASA for SSH service

hectormiranda
Level 1
Level 1

Hello,

My scenario is as follows:

- Internal LAN subnet: 192.168.20.0/24

- Cisco ASA5516-X external Public IP: 190.151.47.10

- inside interface name: inside

- outside interface name: WAN_INTERNET_If

There is a server in the internal LAN with IP address 192.168.20.36. There is an network object named Server-Arq defined in the ASA.

I need to access that server from the outside through SSH but using tcp port 22022 as "external" port, then mapping it to port 22 in the server's address.

So, if a user from the outside runs PuTTY pointing SSH to 190.151.47.10 port 22022, then that traffic goes to internal 192.168.20.36 port 22.

I wrote the following instructions in the ASA for the port forwarding:

object network Server-Arq
nat (inside,WAN_INTERNET_If) static interface service tcp ssh 22022

Then I added the following ACL:

access-list WAN_Internet_access_in extended permit tcp any object Server-Arq eq ssh

 

But the port tcp 22022 remains closed.

What is missing in my configuration?

Attached current ASA config file.

 

Thanks in advance,

 

Hector M.

1 Accepted Solution

Accepted Solutions

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

Can you move your dynamic nat at the end like:

 

object network obj_any
 nat (any,WAN_INTERNET_If) after-auto dynamic interface

Also can you run the following command and paste the result please in a text file:

 

packet-tracer input WAN_INTERNET_if tcp 8.8.8.8 12345 190.151.47.10 22022 detail

 

 

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

6 Replies 6

johnd2310
Level 8
Level 8

Hi,

You access-list should be for port 22022 and not ssh

"access-list WAN_Internet_access_in extended permit tcp any object Server-Arq eq 22022"

 

Thanks

John

**Please rate posts you find helpful**

Than you John.

I tried it, but that's not the problem.

 

Hector M.

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

Can you move your dynamic nat at the end like:

 

object network obj_any
 nat (any,WAN_INTERNET_If) after-auto dynamic interface

Also can you run the following command and paste the result please in a text file:

 

packet-tracer input WAN_INTERNET_if tcp 8.8.8.8 12345 190.151.47.10 22022 detail

 

 

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello Francesco,

I moved the dynamic nat rule after the specific objects ones.

The syntax is: 

object network Server-Arq
nat (inside,WAN_INTERNET_If) static interface service tcp ssh 8022
!
nat (inside,WAN_INTERNET_If) after-auto source dynamic any interface

 

Regarding the PacketTracer, I have attached the output to this message. Last night, trying to do something different, I changed the 22022 port to tcp 8022, so the packet tracer command I ran was:

packet-tracer input WAN_INTERNET_if tcp 8.8.8.8 12345 190.151.47.10 8022 detail

 

Hector M.

Did you removed this nat:

object network obj_any
nat (any,WAN_INTERNET_If) dynamic interface

You should have only your ssh nat first and then the dynamic at the end.
Do a clear xlate, test again and re-run the packet-tracer command please.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello,

I did two different tests:

  1. Used an access switch in the LAN to forward port 22 to port 8201. External access (SSH to public ip + port 8201) worked ok
  2. Used an internal PC (Windows) and installed FreeSSH server. Mapped port 22 to 22134 and external SSH worked ok.

So, I asked the server's guy what was happenning with his machine. He changed the machine and the initial problem disappeared!

Anyway, I thank you guys for your great help.

 

Hector M.

Review Cisco Networking for a $25 gift card