ASA 8.3 PAT

Answered Question
Aug 6th, 2010

Hi All,

I'm well aware that there must be several posts on this topic already (I've read a few) and even searched other articles, but I am having no joy whatsoever. Perhaps this will be a chance for someone to get 5 easy points.

I'm currently running an ASA 5505 8.3.(2) and ASDM 6.3.(2). I cannot get PAT working for the life of me. I would dearly like to get my outside interface to nat port 2202 to an internal host (LXSERVER) on port 22.

OUTSIDE interface: DHCP

DMZ interface: 10.2.2.1

DMZ host: LXSERVER 10.2.2.2

e.g. any IP ----> OUTSIDE INTERFACE:2202 ----> PAT -----> LXSERVER:2202

I can access the LXSERVER from my INSIDE (192.168.2.0/24) network and access the internet from within without a problem.

interface Vlan10
nameif OUTSIDE
security-level 0
ip address dhcp setroute
!
interface Vlan20
nameif DMZ
security-level 50
ip address 10.2.2.1 255.255.255.0

!

output omitted

!

object network LXSERVER
host 10.2.2.2

!

output omitted

!

access-list OUTSIDE_access_in extended permit tcp any host 10.2.2.2 eq 2202
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq 2202
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq ssh
access-list OUTSIDE_access_in extended permit tcp any host 10.2.2.2 eq ssh

!

output omitted

!

object network LXSERVER
nat (DMZ,OUTSIDE) static interface service tcp ssh 2202

!

nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
nat (LAB,OUTSIDE) after-auto source dynamic any interface
nat (DMZ,OUTSIDE) after-auto source dynamic any interface
access-group INSIDE_access_in in interface INSIDE
access-group OUTSIDE_access_in in interface OUTSIDE
access-group LAB_access_in in interface LAB

I have highlighted in bold what I see as important config. I have added the four access list entries as above purely for testing and have been trying to use the Packet Tracer to determine what is the correct ACL to have in place.

So, I have a couple of questions, namely,

1. Is my config wrong, and if so

2. What is the correct config in order to achieve my goal

3. If you were to test this with the packet tracer, what destination IP and port would you input as the relevant parameters?

Best Regards,

Conor

I have this problem too.
0 votes
Correct Answer by Nagaraja Thanthry about 6 years 4 months ago

Hello,

Your configuration looks good. Can you please make sure that the default

gateway on the DMZ server is set to the DMZ interface IP? Also, you do not

need following lines:

access-list OUTSIDE_access_in extended permit tcp any host 10.2.2.2 eq 2202

access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq

2202

access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq

ssh

If it is still not working, please check the Access-list hit count (show

access-list OUTSIDE_access_in). If you do not see any hit count for the rule

that allows ssh access, your ISP might be blocking non-standard ports. You

need to talk to them and open-up the ports.

Hope this helps.

Regards,

NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Nagaraja Thanthry Fri, 08/06/2010 - 06:52

Hello,

Your configuration looks good. Can you please make sure that the default

gateway on the DMZ server is set to the DMZ interface IP? Also, you do not

need following lines:

access-list OUTSIDE_access_in extended permit tcp any host 10.2.2.2 eq 2202

access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq

2202

access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq

ssh

If it is still not working, please check the Access-list hit count (show

access-list OUTSIDE_access_in). If you do not see any hit count for the rule

that allows ssh access, your ISP might be blocking non-standard ports. You

need to talk to them and open-up the ports.

Hope this helps.

Regards,

NT

Conor Cunningham Fri, 08/06/2010 - 07:27

Dear Nagaraja,

Thanks for the speedy post. I just went back and tried to ssh to my server and, hey presto, it worked. It must have been the last change I made and most likely failed to test in my ever growing impatience. Seems all that reading and trial and error paid off. I also worked out that you need to use the internal ip and port in the firewall ACL but the outside interface and 'to be patted' port.

Thanks again, and as I suggested, 5 stars easily earnt!

So, for anyone else having this problem, the above config works, but be sure to note Nagaraja's information regarding the unnecessary ACLs.

Cheers,

Conor

Actions

This Discussion