cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
375
Views
0
Helpful
2
Replies

Configure multiple SSH connections through ASA

burleyman
Level 8
Level 8

I have two pieces of equipment on the inside of the network that people on the outside need to access via SSH. Is there a way to do this?

 

Mike
 

1 Accepted Solution

Accepted Solutions

There are many ways:

  1. If you have multiple public IPs, then you configure PAT for each internal system with a unique public IP.
  2. If you only have one or not enough public IP(s), then you configure PAT with a mapping that for example Public:221 maps to INT1:22, Public:222 maps to INT2:22 and so on.
  3. The external users could use a VPN-Client to connect to your network.

Probably you'll pick solution 2, then the config could look like that on the ASA:

object network SERVER1
 host 10.10.10.1
 nat (inside,outside) static interface service tcp 22 221
object network SERVER2
 host 10.10.10.2
 nat (inside,outside) static interface service tcp 22 222
object network SERVER3
 host 10.10.10.3
 nat (inside,outside) static interface service tcp 22 223

access-list OUTSIDE-IN permit tcp any object SERVER1 eq 22
access-list OUTSIDE-IN permit tcp any object SERVER2 eq 22
access-list OUTSIDE-IN permit tcp any object SERVER3 eq 22

View solution in original post

2 Replies 2

There are many ways:

  1. If you have multiple public IPs, then you configure PAT for each internal system with a unique public IP.
  2. If you only have one or not enough public IP(s), then you configure PAT with a mapping that for example Public:221 maps to INT1:22, Public:222 maps to INT2:22 and so on.
  3. The external users could use a VPN-Client to connect to your network.

Probably you'll pick solution 2, then the config could look like that on the ASA:

object network SERVER1
 host 10.10.10.1
 nat (inside,outside) static interface service tcp 22 221
object network SERVER2
 host 10.10.10.2
 nat (inside,outside) static interface service tcp 22 222
object network SERVER3
 host 10.10.10.3
 nat (inside,outside) static interface service tcp 22 223

access-list OUTSIDE-IN permit tcp any object SERVER1 eq 22
access-list OUTSIDE-IN permit tcp any object SERVER2 eq 22
access-list OUTSIDE-IN permit tcp any object SERVER3 eq 22

Choice number 2 was where I was heading. Thanks for the confirmation.

Thanks,

Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: