Not getting my inside server over ssh from outside network

Unanswered Question
Jul 8th, 2010
User Badges:

hi,

I am newb in security. i am facing a problem regarding ASA 5505.The problem is from the outside zone I am not able to ssh into one of my inside server.

here is my network




                                                                     |

                                                  Outside        |

wan<---------------router<--------------------------------ASA<-------------------server

                                                                     |          Inside

                                                                     |


Roter is doing the NAT operation.I have configured my router as if any request come of ssh it will forward to the ASA's outside interface.When the request reach to the ASA it will forward the request to the server 10.49.49.2.


But the problem is I am not able ssh to the server.


Here is my running config attached.


Help me

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Thu, 07/08/2010 - 07:28
User Badges:
  • Cisco Employee,

Hello,


I see two issues. One, on the firewall, you have already configured SSH on the outside interface and you are trying to use the same port for SSH to inside server. There is a conflict. Second, I am not sure how you are translating the IP on the router.Also, I see that the access-lists are incorrect.


access-list outside_int_in extended permit icmp any host 10.49.49.2
access-list outside_int_in extended permit tcp interface outside eq ssh host 10.49.49.2


So, please try the following:


On the router:


ip route 10.49.49.0 255.255.255.0 10.10.1.1


ip nat source static 10.49.49.2 extendable


On the firewall:


static (inside,outside) 10.49.49.2 10.49.49.2 netmask 255.255.255.255


access-list outside_int_in extended permit icmp any host 10.49.49.2

no access-list outside_int_in extended permit tcp interface outside eq ssh host 10.49.49.2
access-list outside_int_in extended permit tcp any host 10.49.49.2 eq ssh


If you do not want the router to know about 10.49.49.0 subnet, then do the following:


On the firewall:


static (inside,outside) 10.10.1.x 10.49.49.2 netmask 255.255.255.255 (where x is an unused IP address)


no access-list outside_int_in extended permit icmp any host 10.49.49.2

no access-list outside_int_in extended permit tcp interface outside eq ssh host 10.49.49.2

access-list outside_int_in extended permit icmp any host 10.10.1.x
access-list outside_int_in extended permit tcp any host 10.10.1.x eq ssh


On the router:


ip nat source static 10.10.1.x extendable


This will ensure that the router is doing translation for the original IP of the server and it has a route to the server. Then the firewall will allow the SSH traffic to the server through it.


Hope this helps.


Regards,


NT

Shuvanjan Krish... Sun, 07/11/2010 - 02:17
User Badges:

Hi,


Thanks for the help.I tested it today and it works.


Thanks & Regards

Shuvanjan Krishna Bhattacharya

Actions

This Discussion