SSH Port Forwarding on ASAv to the Internal Server on Azure Cloud to enable access from Internet
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-30-2021 04:23 AM
Problem Statement: We have an Internal Server (10.150.11.116) that we want to access through SSH from Internet. In order to achieve this we are using Port Forwarding mechanism to map a custom port 2222 to the SSH service on the Internal Server so that it can be accessed with the Public IP of the Outside Interface like (20.20.20.20:2222) from Internet (Attached is a the diagram for reference).
After the configurations when I test this access I get the following error in the log buffer
%ASA-7-710005: TCP request discarded from 203.199.157.110/50709 to Outside:10.10.10.10/2222
We looking for any helpful suggestion to solve this problem
Please note that basic configurations like policies/access lists, routing and NAT/PAT are working perfectly on this ASAv. Only this configuration related to Port forwarding does not seem to work. Also, even the Packet tracer shows, packets hitting the right NAT and ACLs.
Below is the configuration statements I have used.
------------------------------------------
Configurations
object network INTERNAL_SERVER
host 10.150.11.116
nat (Inside,Outside) static interface service tcp ssh 2222
exit
object network OUTSIDE_PUBLICIP
host 20.20.20.20
exit
object service PORT_SSH_2222
service tcp destination eq 2222
exit
object service PORT_SSH
service tcp destination eq 22
exit
access-list Outside_access_in permit tcp any object INTERNAL_SERVER log
access-list Outside_access_in permit ip any any log
access-group Outside_access_in in interface Outside
------------------------------------------------
Additionally, as part of the testing I have also tried these below changes/combinations but without any luck
- Used the global NAT instead of the object NAT mapping
- nat (Outside,Inside) source static any any destination static interface INTERNAL_SERVER service PORT_SSH_2222 PORT_SSH
- Instead of mapping on the Interface, I manually mapped to the Public IP (20.20.20.20) in the PAT and allowed the same in the ACL statements
- Tried services other than SSH like RDP and HTTPS but got the same error
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2023 11:40 AM
I have this exact problem too. I'm starting to think: software bug?
dr. JB
