08-20-2010 10:33 AM - edited 03-11-2019 11:28 AM
Hi I have an ISR in a DMZ behind an ASA, both are doing NAT. The ISR is the VPN tunnel termination point to remote sites, but I do need to SSH into it if the internet goes down (in the cloud). My issue is I need to SSH to the outside interface of the ISR and I am using NAT overload for the inside networks going through the interface, but no static PAT mapping. The ACL's are in place on the ISR and ASA, but the ISR is randomizing TCP ports due to NAT, and the ASA kills the connection as the conversation is not in it's NAT table.
What I wanted to know is if there is anyway to allow SSH to the outside interface of the ISR with NAT, or not change the TCP port numbers on outbound traffic?
Eg. ip nat inside source static 10.10.10.0 255.255.255.0 interface FastEthernet0/0 overload
I need to somehow add the ip of the outside address 192.168.10.1 to allow SSH in and not have the above NAT change the source port number, can I add a 192.168.10.1 eq 22 192.168.10.1 eq 22 or something?
If this possible?
Cheers,
Bob
08-20-2010 01:13 PM
Hello,
If I understand you correct, you have ASA at the ISP edge and is conected to ISR on the DMZ interface. Your goal is to ssh to the ISR from internet. You could do the following:
On the ASA:
static (dmz,outside) tcp interface 222
This will allow you to SSH to ASA's outside interface IP on port 222 and get connected to the ISR. As long as your routing and access-lists are correct, this will work.
Hope this helps.
Regards,
NT
08-20-2010 01:58 PM
Thanks NT,
We have an ACL that works on the ASA, traffic passes through, the issue is the ISR is also Natting with no static for its' outside interface. When it receives the traffic from the outside it changes the source tcp port on the reply packet (due to NAT) and the ASA recevied it and cannot put the SYN SYN-ACK conversation together as one stream and drops the packet.
Thanks,
Bob
08-20-2010 02:22 PM
Hello,
If the traffic goes from ASA directly to ISR, ISR should not be applying
NAT. Can you please post the corresponding configurations from both devices?
Regards,
NT
08-20-2010 02:37 PM
It is,...
I cannot post the configs but it's a basic ISR terminating VPN tunnels with a NAT overload statement for example
Int g0/0
ip nat outside
10.10.10.1
int g0/1
ip nat inside
172.31.10.1
ip nat inside source route-map SDM_RMAP_1 interface G0/0 overload
route-map SDM_RMAP_1 permit 1
match ip address 110
access-list 110 deny ip 172.30.4.0 0.0.0.255 any
access-list 110 deny ip any 172.30.4.0 0.0.0.255
access-list 110 permit ip any any
Because there is no static for the outside IP 10.10.10.1 (which I am trying to SSH into) the return traffic is changing the TCP port numbers (NAT)
The same command that would fix this on an ASA is: static (DMZ,Internet) x.x.x.x 10.10.10.1
Cheers
08-20-2010 02:46 PM
Hello,
Typically, you do not need a static on the ISR. Just a static on the ASA
would work. The issue seems to be with the "permit ip any any" in your
access-list. Can you please try the following on the ISR:
access-list 101 deny ip any
no ip nat inside source route-map SDM_RMAP_1 interface G0/0 overload
ip nat inside source list 101 interface G0/0 overload
I am assuming that 172.30.4.0/24 is your VPN subnet.
Hope this helps.
Regards,
NT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide