Can't SSH to Linux server IP in DMZ

Unanswered Question
Apr 10th, 2008
User Badges:

I'm trying to SSH from to but not having any luck. The Linux server has two NICs, one is and the other is The default gateway for this server is set to If I set the default gateway on it to then I can SSH fine to but not to

With the config as it is if I remove the following then it works, but breaks services for other servers in the DMZ:

access-list dmz_acl extended permit ip any

SSH from a server in the DMZ to the DMZ IP of the Linux server works fine of course.

I'm sure I'm missing something obvious but I'm no Cisco firewall expert quite yet.

Thanks for any help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
acomiskey Thu, 04/10/2008 - 07:52
User Badges:
  • Green, 3000 points or more

I don't see how removing that line in the access-list should have any effect. The way it is written, would never be a source address while the acl is applied into the dmz. I would think you need to add a persistent route to the linux server, or you need to nat the source address from to a 192.168.5.x address.

jimgrumbles Thu, 04/10/2008 - 09:08
User Badges:

Sorry, I pasted the wrong line. When I remove this:

static (inside,dmz) netmask

I can SSH to the DMZ IP fine but it breaks other DMZ servers.

acomiskey Thu, 04/10/2008 - 09:46
User Badges:
  • Green, 3000 points or more

The easiest thing to do with your current configuration would be to leave the static command in place. Then add a persistent route on the linux server which points to

Alternatively you could do(i think)....

no static (inside,dmz) netmask

nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended deny ip host host

access-list inside_nat0_outbound extended permit ip

nat (inside) 1 access-list nat_to_ssh_server

access-list nat_to_ssh_server extended permit ip host host

This should exempt all traffic between inside and dmz, except for communication between the ssh client and the ssh server. The policy nat statement will allow the ssh client to pat using the global (dmz) command.

jimgrumbles Fri, 04/11/2008 - 13:56
User Badges:

Thanks for the replies acomiskey. I was finally able to get it to work with some trial and error with the ACLs. I had my conceptions of a DMZ server mixed up anyhow since I realized all our other DMZ servers only had IPs in the DMZ only and not in both subnets.


This Discussion