- Bronze, 100 points or more
Hi I have an ISR in a DMZ behind an ASA, both are doing NAT. The ISR is the VPN tunnel termination point to remote sites, but I do need to SSH into it if the internet goes down (in the cloud). My issue is I need to SSH to the outside interface of the ISR and I am using NAT overload for the inside networks going through the interface, but no static PAT mapping. The ACL's are in place on the ISR and ASA, but the ISR is randomizing TCP ports due to NAT, and the ASA kills the connection as the conversation is not in it's NAT table.
What I wanted to know is if there is anyway to allow SSH to the outside interface of the ISR with NAT, or not change the TCP port numbers on outbound traffic?
Eg. ip nat inside source static 10.10.10.0 255.255.255.0 interface FastEthernet0/0 overload
I need to somehow add the ip of the outside address 192.168.10.1 to allow SSH in and not have the above NAT change the source port number, can I add a 192.168.10.1 eq 22 192.168.10.1 eq 22 or something?
If this possible?