
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-26-2013 10:14 AM - edited 03-11-2019 07:03 PM
We have a remote site that has a 5505 ios 8.3.1.
We have a /30 outside addr range so we only have 2 outside addr available; the addr of the outside interface + the gateway.
We need to allow a vendor to access an inside addr.
Will the following config work in order to allow access?
(config)# object network voice_gateway
(config-network-object)# host 10.10.10.10
(config-network-object)# nat (inside,outside) static 109.109.109.109 service tcp ssh ssh
109.109.109.109 is the addr of the outside interface
object-group network vendor
network-object 8.9.9.9 255.255.255.224
access-list acl_outside extended permit tcp object-group vendor 109.109.109.109 255.255.255.252 eq ssh
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2013 02:39 PM
John
Use the keyword "interface" instead of the IP.
---
Mashal Alshboul

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-26-2013 10:36 AM
Hi John,
You only need to fix the access-list so that it points to the private IP instead of the public IP, because your version is 8.3. This config will work for enabling inbound SSH access to your internal server, however, you should pay attention that if the natted public IP is the same as your outside interface IP, then SSH access to the ASA from the outside will not be possible, because all traffic hitting outside IP at port 22 will be redirected to the inside.
Hope this helps
---------
Mashal Alshboul

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-26-2013 11:24 AM
Mashal
Thanks for the response. I was not sure about the acl so thanks for clearing that up.
And I understand what you are saying about the ssh.
Is there another way of doing the ssh access?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-26-2013 11:38 AM
Hi John,
You cannot change the default SSH port in ASA. Instead, I suggest that you change the natted port to be any port other than 22 so that you get SSH access to both ASA and internal server.
for example:
(config-network-object)# nat (inside,outside) static 109.109.109.109 service tcp ssh 222
Hope this answers your questions.
---------
Mashal Alshboul

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2013 07:43 AM
Mashal
here is what I got when I tried to set this up.
ERROR: Address 109.109.109.109 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2013 02:39 PM
John
Use the keyword "interface" instead of the IP.
---
Mashal Alshboul

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2013 07:41 AM
Mashal
Thanks, that worked!
