ISR with NAT behind a ASA with NAT - TCP port changes

Unanswered Question

Hi I have an ISR in a DMZ behind an ASA, both are doing NAT. The ISR is the VPN tunnel termination point to remote sites, but I do need to SSH into it if the internet goes down (in the cloud). My issue is I need to SSH to the outside interface of the ISR and I am using NAT overload for the inside networks going through the interface, but no static PAT mapping. The ACL's are in place on the ISR and ASA, but the ISR is randomizing TCP ports due to NAT, and the ASA kills the connection as the conversation is not in it's NAT table.

What I wanted to know is if there is anyway to allow SSH to the outside interface of the ISR with NAT, or not change the TCP port numbers on outbound traffic?

Eg. ip nat inside source static interface FastEthernet0/0 overload

I need to somehow add the ip of the outside address to allow SSH in and not have the above NAT change the source port number, can I add a eq 22 eq 22 or something?

If this possible?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Nagaraja Thanthry Fri, 08/20/2010 - 13:13
User Badges:
  • Cisco Employee,


If I understand you correct, you have ASA at the ISP edge and is conected to ISR on the DMZ interface. Your goal is to ssh to the ISR from internet. You could do the following:

On the ASA:

static (dmz,outside) tcp interface 222 22 netmask

This will allow you to SSH to ASA's outside interface IP on port 222 and get connected to the ISR. As long as your routing and access-lists are correct, this will work.

Hope this helps.



Thanks NT,

We have an ACL that works on the ASA, traffic passes through, the issue is the ISR is also Natting with no static for its' outside interface. When it receives the traffic from the outside it changes the source tcp port on the reply packet (due to NAT) and the ASA recevied it and cannot put the SYN SYN-ACK conversation together as one stream and drops the packet.



Nagaraja Thanthry Fri, 08/20/2010 - 14:22
User Badges:
  • Cisco Employee,


If the traffic goes from ASA directly to ISR, ISR should not be applying

NAT. Can you please post the corresponding configurations from both devices?



It is,...

I cannot post the configs but it's a basic ISR terminating VPN tunnels with a NAT overload statement for example

Int g0/0

ip nat outside

int g0/1

ip nat inside

ip nat inside source route-map SDM_RMAP_1 interface G0/0 overload

route-map SDM_RMAP_1 permit 1
match ip address 110

access-list 110 deny   ip any
access-list 110 deny   ip any
access-list 110 permit ip any any

Because there is no static for the outside IP (which I am trying to SSH into) the return traffic is changing the TCP port numbers (NAT)

The same command that would fix this on an ASA is: static (DMZ,Internet) x.x.x.x


Nagaraja Thanthry Fri, 08/20/2010 - 14:46
User Badges:
  • Cisco Employee,


Typically, you do not need a static on the ISR. Just a static on the ASA

would work. The issue seems to be with the "permit ip any any" in your

access-list. Can you please try the following on the ISR:

access-list 101 deny ip any

no ip nat inside source route-map SDM_RMAP_1 interface G0/0 overload

ip nat inside source list 101 interface G0/0 overload

I am assuming that is your VPN subnet.

Hope this helps.




This Discussion