Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5505 Port Forward/Translation

I'm trying to configure static PAT for a Linux SSH server on my network.  The tricky part is that I'm trying to map port 21 from the outside to port 22 on the inside (because port 22 is blocked on my work network).

I've tried the following but it doesn't seem to be working.  I'm running ASA software version 9.1(4)

object network LinuxAdmin

host 192.168.1.108

object service tcp21

service tcp source eq ftp

object service tcp22

service tcp source eq ssh

nat (inside,outside) source static LinuxAdmin interface service tcp21 tcp22

access-list outside_in extended permit tcp any object LinuxAdmin eq ftp

access-group outside_in in interface outside

I thought this should work but it's not.... when I do a show access-list, I don't see any hits against that rule.  Any help or suggestions would be appreciated.

Thanks,

Matt

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Re: ASA5505 Port Forward/Translation

Hi,

To my understanding on the "service" section of the command the REAL service comes first and then the MAPPED service. So you could try switching the "tcp21" and "tcp22" the other way around.

Naturally you will also have to change the "access-list" to allow the port TCP/22 rather than TCP/21

I am not sure but the traffic might also match the FTP Inspection also so you might want to come up with another MAPPED port for this connection, like TCP/222

Hope this helps

- Jouni

VIP Green

ASA5505 Port Forward/Translation

I think your NAT statement is a little off.  Try the following

object network obj-192.168.1.108
   host 192.168.1.108
   nat (inside,outside) static interface service tcp 22 21

access-list outside_in extended permit tcp any object LinuxAdmin eq 22
access-group outside_in in interface outside

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
3 REPLIES
Super Bronze

Re: ASA5505 Port Forward/Translation

Hi,

To my understanding on the "service" section of the command the REAL service comes first and then the MAPPED service. So you could try switching the "tcp21" and "tcp22" the other way around.

Naturally you will also have to change the "access-list" to allow the port TCP/22 rather than TCP/21

I am not sure but the traffic might also match the FTP Inspection also so you might want to come up with another MAPPED port for this connection, like TCP/222

Hope this helps

- Jouni

VIP Green

ASA5505 Port Forward/Translation

I think your NAT statement is a little off.  Try the following

object network obj-192.168.1.108
   host 192.168.1.108
   nat (inside,outside) static interface service tcp 22 21

access-list outside_in extended permit tcp any object LinuxAdmin eq 22
access-group outside_in in interface outside

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

ASA5505 Port Forward/Translation

Thanks guys, that fixed it!  Didn't realize it was then .

115
Views
0
Helpful
3
Replies
CreatePlease login to create content