Port forwarding not working despite correct configuration?

Answered Question
Apr 25th, 2007
User Badges:

Our ASA-5505 has a single outside IP, and dynamic NAT for the LAN is working fine. I set up a static NAT rule for the outside IP to our internal SSH server and created an ACL that allows external connections to connect to the SSH port on the external IP so that the SSH port on the ASA-5505 is forwarded to the internal server. However, when I try to SSH from an external host, the connection times out, and the ASA logs that the connection is denied due to an ACL. To create this configuration I followed the Getting Started Guide and found several relevant guides both on Cisco.com and around the Internet, but the port forwarding isn't working and I'm pulling my hair out as to why the ACL which I already explicitly created isn't working. Here's the relevant config lines; if you need more information please reply.


access-list outside_access_in extended permit tcp any host X.X.X.X eq ssh log

static (inside,outside) X.X.X.X 192.168.18.51 netmask 255.255.255.255

access-group outside_access_in in interface outside


I sanitized the external IP to X.X.X.X for privacy.

Correct Answer by acomiskey about 9 years 11 months ago

If x.x.x.x is outside interface then you actually need to use the word "interface" in the static and acl, not x.x.x.x.

Correct Answer by acomiskey about 9 years 11 months ago

If x.x.x.x is outside interface address on ASA then you need to do this...


static (inside,outside) tcp interface 22 192.168.18.51 22 netmask 255.255.255.255

access-list outside_in permit tcp any interface eq 22

access-group outside_ in in interface outside

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
acomiskey Wed, 04/25/2007 - 10:55
User Badges:
  • Green, 3000 points or more

If x.x.x.x is outside interface address on ASA then you need to do this...


static (inside,outside) tcp interface 22 192.168.18.51 22 netmask 255.255.255.255

access-list outside_in permit tcp any interface eq 22

access-group outside_ in in interface outside

wkurdziolek Wed, 04/25/2007 - 11:28
User Badges:

static (inside,outside) tcp X.X.X.X ssh 192.168.18.51 ssh netmask 255.255.255.255


Didn't change the ACL, and I still get:


TCP access denied by ACL from to outside:X.X.X.X/22


In the logs.

Correct Answer
acomiskey Wed, 04/25/2007 - 11:33
User Badges:
  • Green, 3000 points or more

If x.x.x.x is outside interface then you actually need to use the word "interface" in the static and acl, not x.x.x.x.

wkurdziolek Wed, 04/25/2007 - 11:36
User Badges:

Ah, excellent. Now everything is working. Thanks a ton!

Actions

This Discussion