ISR with NAT behind a ASA with NAT - TCP port changes

Unanswered Question
Aug 20th, 2010

Hi I have an ISR in a DMZ behind an ASA, both are doing NAT. The ISR is the VPN tunnel termination point to remote sites, but I do need to SSH into it if the internet goes down (in the cloud). My issue is I need to SSH to the outside interface of the ISR and I am using NAT overload for the inside networks going through the interface, but no static PAT mapping. The ACL's are in place on the ISR and ASA, but the ISR is randomizing TCP ports due to NAT, and the ASA kills the connection as the conversation is not in it's NAT table.

What I wanted to know is if there is anyway to allow SSH to the outside interface of the ISR with NAT, or not change the TCP port numbers on outbound traffic?

Eg. ip nat inside source static 10.10.10.0 255.255.255.0 interface FastEthernet0/0 overload

I need to somehow add the ip of the outside address 192.168.10.1 to allow SSH in and not have the above NAT change the source port number, can I add a 192.168.10.1 eq 22 192.168.10.1 eq 22 or something?

If this possible?

Cheers,

Bob

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Fri, 08/20/2010 - 13:13

Hello,

If I understand you correct, you have ASA at the ISP edge and is conected to ISR on the DMZ interface. Your goal is to ssh to the ISR from internet. You could do the following:

On the ASA:

static (dmz,outside) tcp interface 222 22 netmask 255.255.255.255

This will allow you to SSH to ASA's outside interface IP on port 222 and get connected to the ISR. As long as your routing and access-lists are correct, this will work.

Hope this helps.

Regards,

NT

bjames@snetworks.com Fri, 08/20/2010 - 13:58

Thanks NT,

We have an ACL that works on the ASA, traffic passes through, the issue is the ISR is also Natting with no static for its' outside interface. When it receives the traffic from the outside it changes the source tcp port on the reply packet (due to NAT) and the ASA recevied it and cannot put the SYN SYN-ACK conversation together as one stream and drops the packet.

Thanks,

Bob

Nagaraja Thanthry Fri, 08/20/2010 - 14:22

Hello,

If the traffic goes from ASA directly to ISR, ISR should not be applying

NAT. Can you please post the corresponding configurations from both devices?

Regards,

NT

bjames@snetworks.com Fri, 08/20/2010 - 14:37

It is,...

I cannot post the configs but it's a basic ISR terminating VPN tunnels with a NAT overload statement for example

Int g0/0

ip nat outside

10.10.10.1

int g0/1

ip nat inside

172.31.10.1

ip nat inside source route-map SDM_RMAP_1 interface G0/0 overload

route-map SDM_RMAP_1 permit 1
match ip address 110

access-list 110 deny   ip 172.30.4.0 0.0.0.255 any
access-list 110 deny   ip any 172.30.4.0 0.0.0.255
access-list 110 permit ip any any

Because there is no static for the outside IP 10.10.10.1 (which I am trying to SSH into) the return traffic is changing the TCP port numbers (NAT)

The same command that would fix this on an ASA is: static (DMZ,Internet) x.x.x.x 10.10.10.1

Cheers

Nagaraja Thanthry Fri, 08/20/2010 - 14:46

Hello,

Typically, you do not need a static on the ISR. Just a static on the ASA

would work. The issue seems to be with the "permit ip any any" in your

access-list. Can you please try the following on the ISR:

access-list 101 deny ip any

no ip nat inside source route-map SDM_RMAP_1 interface G0/0 overload

ip nat inside source list 101 interface G0/0 overload

I am assuming that 172.30.4.0/24 is your VPN subnet.

Hope this helps.

Regards,

NT

Actions

This Discussion