Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1012
Views
0
Helpful
2
Replies

Port forwarding

ericault1
Level 1
Level 1

‎02-08-2012 12:39 PM

I have a newly installed 5505 ASA device - and I am not that familiar with it yet.  In fact, I only have a moderate level of experience in configuring routers at all.

We have an outside vendor who requires access to a phone device inside our network (ip 192.168.1.247) using TCP on port 22.  When I try to configure, it seems to automatically translate port 22 to SSH service.

A) I cannot find anyting to indicate, but maybe I need to diable (?) SSH or change the default port for SSH?

B) I cannot find any clear steps to configure the port forwarding.  I assume I need to establish an ACE, then a NAT Rule.  Should that NAT include PAT?  (This is where my 22 keeps changing to SSH and will not save.)

Any help would be appreciated.  (Going slow for the novice would be appreciated even more.)

Labels:
0 Helpful
2 Replies 2

Jeff Van Houten
Level 5
Level 5

‎02-08-2012 06:41 PM

Ssh is typically bound to tcp port 22.

Sent from Cisco Technical Support iPad App

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Jeff Van Houten

‎02-09-2012 10:39 AM

Eric

You can enter numeric 22 in the access list or NAT or PAT configuration and the ASA will automatically convert that to SSH. That conversion does not cause problems in and of itself.

Here are some things to think about that may help you find a solution:

- for the vendor to access the phone device on an inside private address the ASA will need some type of static translation.

- if you just did a translation that any incoming TCP port 22 connection translates to the inside address that would probably allow the vendor to access the phone device. But it would prevent any other incoming SSH access (which might or might not be a problem depending on your circumstances).

- if you have some available public address on the ASA other than the IP on the outside interface you might be able to do a static translation so that the public interface translates to the inside private address. This may be the most simple solution (but does require an available address).

- if the vendor could make that access request use a different destination port (perhaps 2222) then you could do a translation on the ASA such that any incoming TCP 2222 gets translated to the inside IP address and port 22.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents