Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
607
Views
0
Helpful
6
Replies

Static nat when you have only one outside addr question

Go to solution
john.wright
Level 3
Level 3

‎06-26-2013 10:14 AM - edited ‎03-11-2019 07:03 PM

We have a remote site that has a 5505 ios 8.3.1.

We have a /30 outside addr range so we only have 2 outside addr available; the addr of the outside interface + the gateway.

We need to allow a vendor to access an inside addr.

Will the following config work in order to allow access?

(config)# object network voice_gateway

(config-network-object)# host 10.10.10.10

(config-network-object)# nat (inside,outside) static 109.109.109.109 service tcp ssh ssh

109.109.109.109 is the addr of the outside interface

object-group network vendor

network-object 8.9.9.9 255.255.255.224

access-list acl_outside extended permit tcp object-group vendor 109.109.109.109 255.255.255.252 eq ssh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
malshbou
Level 1
Level 1
In response to john.wright

‎06-27-2013 02:39 PM

John

Use the keyword "interface"  instead of the IP.

---
Mashal Alshboul

------------------ Mashal Shboul

View solution in original post

0 Helpful
6 Replies 6

Go to solution
malshbou
Level 1
Level 1

‎06-26-2013 10:36 AM

Hi John,

You only need to fix the access-list so that it points to the private IP instead of the public IP, because your version is 8.3. This config will work for enabling inbound SSH access to your internal server, however, you should pay attention that if the natted public IP is the same as your outside interface IP, then SSH access to the ASA from the outside will not be possible, because all traffic hitting outside IP at port 22 will be redirected to the inside.

Hope this helps

---------
Mashal Alshboul

------------------ Mashal Shboul
0 Helpful

Go to solution
john.wright
Level 3
Level 3
In response to malshbou

‎06-26-2013 11:24 AM

Mashal

Thanks for the response. I was not sure about the acl so thanks for clearing that up.

And I understand what you are saying about the ssh.

Is there another way of doing the ssh access?

0 Helpful

Go to solution
malshbou
Level 1
Level 1
In response to john.wright

‎06-26-2013 11:38 AM

Hi John,

You cannot change the default SSH port in ASA. Instead, I suggest that you change the natted port to be any port other than 22 so that you get SSH access to both  ASA and internal server.

for example:

(config-network-object)# nat (inside,outside) static 109.109.109.109 service tcp ssh 222

Hope this answers your questions.

---------
Mashal Alshboul

------------------ Mashal Shboul
0 Helpful

Go to solution
john.wright
Level 3
Level 3
In response to malshbou

‎06-27-2013 07:43 AM

Mashal

here is what I got when I tried to set this up.

ERROR: Address 109.109.109.109 overlaps with outside interface address.

ERROR: NAT Policy is not downloaded

0 Helpful

Go to solution
malshbou
Level 1
Level 1
In response to john.wright

‎06-27-2013 02:39 PM

John

Use the keyword "interface"  instead of the IP.

---
Mashal Alshboul

------------------ Mashal Shboul
0 Helpful

Go to solution
john.wright
Level 3
Level 3
In response to malshbou

‎06-28-2013 07:41 AM

Mashal

Thanks, that worked!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top