Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
774
Views
0
Helpful
2
Replies

ssh from internal to a DMZ host

Go to solution
Dario Francesco Vanin
Level 1
Level 1

‎05-14-2012 08:25 PM - edited ‎03-11-2019 04:06 PM

Hi experts,

I need your help with an ACL because I am not very familiar with ASA 5520 yet. I'm still studing.

I have been able to allow the OUTSIDE world to connect via SSH to the intermal host 172.17.2.50 on my DMZ network. I've created a NAT rule and an ACL as written on the configuration below.

Now I need the INTERNAL network to ssh 172.17.2.50 but ASA stops me with the following error:

"%ASA-3-305006: {outbound static|identity|portmap|regular) translation

creation failed for protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dest_address/dest_port [(idfw_user)]"

Can you please help me figure out a solution?

Here the configuration (I've removed the standard part):

========================================================================

interface GigabitEthernet0/0

nameif OUTSIDE

security-level 0

ip address ************ ************

!

interface GigabitEthernet0/1

shutdown

nameif INTERNAL

security-level 100

no ip address

!

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 172.18.2.1 255.255.255.0

!

object-group service DM_INLINE_TCP_1 tcp

port-object eq ssh

access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE object-group DM_INLINE_TCP_1

access-list DMZ_access_in extended permit tcp any interface INTERNAL eq ssh

global (OUTSIDE) 1 interface

global (INTERNAL) 1 interface

nat (INTERNAL) 1 172.18.1.0 255.255.255.0

nat (DMZ) 1 172.18.2.0 255.255.255.0

static (DMZ,OUTSIDE) tcp interface ssh 172.17.2.50 ssh netmask 255.255.255.255

access-group OUTSIDE_access_in in interface OUTSIDE

access-group DMZ_access_in in interface DMZ

========================================================================

Thanks,

Dario

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-14-2012 10:48 PM

Here is the configuration:

static (INTERNAL,DMZ) 172.18.1.0 172.18.1.0 netmask 255.255.255.0

then "clear xlate" to clear any existing translation before you test access.

Hope that helps.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-14-2012 10:48 PM

Here is the configuration:

static (INTERNAL,DMZ) 172.18.1.0 172.18.1.0 netmask 255.255.255.0

then "clear xlate" to clear any existing translation before you test access.

Hope that helps.

0 Helpful

Go to solution
Dario Francesco Vanin
Level 1
Level 1
In response to Jennifer Halim

‎05-14-2012 10:54 PM

Thanks a lot Jennifer. It worked perfectly! :-)

This support is just awesome.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card