Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
567
Views
0
Helpful
4
Replies

Port forwarding not working despite correct configuration?

Go to solution
wkurdziolek
Level 1
Level 1

‎04-25-2007 10:25 AM - edited ‎03-11-2019 03:04 AM

Our ASA-5505 has a single outside IP, and dynamic NAT for the LAN is working fine. I set up a static NAT rule for the outside IP to our internal SSH server and created an ACL that allows external connections to connect to the SSH port on the external IP so that the SSH port on the ASA-5505 is forwarded to the internal server. However, when I try to SSH from an external host, the connection times out, and the ASA logs that the connection is denied due to an ACL. To create this configuration I followed the Getting Started Guide and found several relevant guides both on Cisco.com and around the Internet, but the port forwarding isn't working and I'm pulling my hair out as to why the ACL which I already explicitly created isn't working. Here's the relevant config lines; if you need more information please reply.

access-list outside_access_in extended permit tcp any host X.X.X.X eq ssh log

static (inside,outside) X.X.X.X 192.168.18.51 netmask 255.255.255.255

access-group outside_access_in in interface outside

I sanitized the external IP to X.X.X.X for privacy.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10

‎04-25-2007 10:55 AM

If x.x.x.x is outside interface address on ASA then you need to do this...

static (inside,outside) tcp interface 22 192.168.18.51 22 netmask 255.255.255.255

access-list outside_in permit tcp any interface eq 22

access-group outside_ in in interface outside

View solution in original post

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to wkurdziolek

‎04-25-2007 11:33 AM

If x.x.x.x is outside interface then you actually need to use the word "interface" in the static and acl, not x.x.x.x.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
acomiskey
Level 10
Level 10

‎04-25-2007 10:55 AM

If x.x.x.x is outside interface address on ASA then you need to do this...

static (inside,outside) tcp interface 22 192.168.18.51 22 netmask 255.255.255.255

access-list outside_in permit tcp any interface eq 22

access-group outside_ in in interface outside

0 Helpful

Go to solution
wkurdziolek
Level 1
Level 1
In response to acomiskey

‎04-25-2007 11:28 AM

static (inside,outside) tcp X.X.X.X ssh 192.168.18.51 ssh netmask 255.255.255.255

Didn't change the ACL, and I still get:

TCP access denied by ACL from to outside:X.X.X.X/22

In the logs.

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to wkurdziolek

‎04-25-2007 11:33 AM

If x.x.x.x is outside interface then you actually need to use the word "interface" in the static and acl, not x.x.x.x.

0 Helpful

Go to solution
wkurdziolek
Level 1
Level 1
In response to acomiskey

‎04-25-2007 11:36 AM

Ah, excellent. Now everything is working. Thanks a ton!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card