01-21-2009 07:53 AM - edited 03-11-2019 07:40 AM
Hello,
I want to enable access to server on ip address: 192.168.100.30 on port 22 located in inside interface from internet (outside)
We have ASA 5520 Cisco Adaptive Security Appliance Software Version 8.0(2)
My config (only relevant lines):
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 172.146.147.13 255.255.255.248 standby 172.146.147.12
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
ip address 172.146.147.1 255.255.255.248 standby 172.146.147.2
!
interface GigabitEthernet0/3
nameif Inside
security-level 100
ip address 192.168.200.3 255.255.255.0 standby 192.168.200.2
.
.
access-list Inside_access_in extended permit ip 192.168.100.30 any
access-list Inside_access_in extended deny ip any any
.
.
access-list Outside_access_in extended permit tcp any host 172.146.147.15 eq ssh
access-list Outside_access_in extended deny ip any any
.
.
global (Outside) 1 172.146.147.11 netmask 255.255.255.0
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 10.1.33.0 255.255.255.0
nat (Inside) 1 10.1.34.0 255.255.255.0
nat (Inside) 1 10.1.35.0 255.255.255.0
nat (Inside) 1 10.1.36.0 255.255.255.0
nat (Inside) 1 10.1.39.0 255.255.255.0
nat (Inside) 1 10.1.41.0 255.255.255.0
nat (Inside) 1 10.1.42.0 255.255.255.0
nat (Inside) 1 10.1.44.0 255.255.255.0
nat (Inside) 1 10.1.99.0 255.255.255.0
nat (Inside) 1 10.40.2.0 255.255.255.0
nat (Inside) 1 10.40.24.0 255.255.255.0
nat (Inside) 1 192.168.100.0 255.255.255.0
nat (Inside) 1 192.168.250.0 255.255.255.0
nat (Inside) 1 192.168.96.0 255.255.248.0
static (Inside,Outside) tcp 172.146.147.14 ssh 192.168.100.30 ssh netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group DMZ_access_in in interface DMZ
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 172.146.147.14 1
route Inside 10.0.0.0 255.0.0.0 192.168.200.1 1
route Outside 172.16.101.72 255.255.255.252 195.146.147.14 1
route Inside 192.168.0.0 255.255.0.0 192.168.200.1 1
.
.
When i type telnet 172.146.147.15 22 from public internet i cant open port 22....so i dont know - is something missing or wrong?
Thanks.
Solved! Go to Solution.
01-21-2009 01:46 PM
below is your outside interface config
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 172.146.147.13 255.255.255.248 standby 172.146.147.12
you are using 255.255.255.248 as the subnet which makes 172.146.147.15 as your broadcast address. That being said, you won't be able to access it. You need to use a different address in that range. the available addresses are 172.146.147.9 to 172.146.147.14.
regards,
01-21-2009 07:58 AM
Hi,
"access-list Outside_access_in extended permit tcp any host 172.146.147.15 eq ssh"
"static (Inside,Outside) tcp 172.146.147.14 ssh 192.168.100.30 ssh netmask 255.255.255.255"
Unless this is a typo, the access-list has to be:
access-list Outside_access_in extended permit tcp any host 172.146.147.14 eq ssh (not 172.146.147.15)
Regards
01-21-2009 11:51 AM
Sorry i copied bad line....
Right statements are:
access-list Outside_access_in extended permit tcp any host 172.146.147.15 eq ssh
static (Inside,Outside) tcp 172.146.147.15 ssh 192.168.100.30 ssh netmask 255.255.255.255
but this is not working ....
Any other suggestion?
Thank.
01-21-2009 12:12 PM
do you have logging enable? Using ASDM, you can trace the packet and see where the deny occurs.
01-21-2009 01:25 PM
No logging is not enable for now....
Maybe can help this:
access-list Outside_access_in line 7 extended permit tcp any host 172.146.147.15 eq ssh (hitcnt=0) 0xb6f77e86
access-list Inside_access_in line 29 extended permit ip host 192.168.100.30 any (hitcnt=77) 0x4db26635
show xlate:
PAT Global 172.146.147.15(22) Local 192.168.100.30(22)
PAT Global 172.146.147.11(30) Local 192.168.100.30(123)
PAT Global 172.146.147.11(34204) Local 10.1.44.51(52658)
....
thank
01-21-2009 01:29 PM
you are not hitting your PAT address. hit counts on 172.146.147.15 is zero.
regards,
01-21-2009 01:46 PM
below is your outside interface config
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 172.146.147.13 255.255.255.248 standby 172.146.147.12
you are using 255.255.255.248 as the subnet which makes 172.146.147.15 as your broadcast address. That being said, you won't be able to access it. You need to use a different address in that range. the available addresses are 172.146.147.9 to 172.146.147.14.
regards,
01-22-2009 04:41 AM
Thank you very much...it`s working ;).
01-22-2009 04:45 AM
I am glad to here!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide