cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

563
Views
0
Helpful
2
Replies

ssh from internal to a DMZ host

Hi experts,

I need your help with an ACL because I am not very familiar with ASA 5520 yet. I'm still studing.

I have been able to allow the OUTSIDE world to connect via SSH to the intermal host 172.17.2.50 on my DMZ network. I've created a NAT rule and an ACL as written on the configuration below.

Now I need the INTERNAL network to ssh 172.17.2.50 but ASA stops me with the following error:

"%ASA-3-305006: {outbound static|identity|portmap|regular) translation

creation failed for protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dest_address/dest_port [(idfw_user)]"

Can you please help me figure out a solution?

Here the configuration (I've removed the standard part):

========================================================================

interface GigabitEthernet0/0

nameif OUTSIDE

security-level 0

ip address ************ ************

!

interface GigabitEthernet0/1

shutdown

nameif INTERNAL

security-level 100

no ip address

!

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 172.18.2.1 255.255.255.0

!

object-group service DM_INLINE_TCP_1 tcp

port-object eq ssh

access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE object-group DM_INLINE_TCP_1

access-list DMZ_access_in extended permit tcp any interface INTERNAL eq ssh

global (OUTSIDE) 1 interface

global (INTERNAL) 1 interface

nat (INTERNAL) 1 172.18.1.0 255.255.255.0

nat (DMZ) 1 172.18.2.0 255.255.255.0

static (DMZ,OUTSIDE) tcp interface ssh 172.17.2.50 ssh netmask 255.255.255.255

access-group OUTSIDE_access_in in interface OUTSIDE

access-group DMZ_access_in in interface DMZ

========================================================================

Thanks,

Dario

1 ACCEPTED SOLUTION

Accepted Solutions
Jennifer Halim
Cisco Employee

Here is the configuration:

static (INTERNAL,DMZ) 172.18.1.0 172.18.1.0 netmask 255.255.255.0

then "clear xlate" to clear any existing translation before you test access.

Hope that helps.

View solution in original post

2 REPLIES 2
Jennifer Halim
Cisco Employee

Here is the configuration:

static (INTERNAL,DMZ) 172.18.1.0 172.18.1.0 netmask 255.255.255.0

then "clear xlate" to clear any existing translation before you test access.

Hope that helps.

View solution in original post

Thanks a lot Jennifer. It worked perfectly! :-)

This support is just awesome.