Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can't SSH to Linux server IP in DMZ

I'm trying to SSH from to but not having any luck. The Linux server has two NICs, one is and the other is The default gateway for this server is set to If I set the default gateway on it to then I can SSH fine to but not to

With the config as it is if I remove the following then it works, but breaks services for other servers in the DMZ:

access-list dmz_acl extended permit ip any

SSH from a server in the DMZ to the DMZ IP of the Linux server works fine of course.

I'm sure I'm missing something obvious but I'm no Cisco firewall expert quite yet.

Thanks for any help.


Re: Can't SSH to Linux server IP in DMZ

I don't see how removing that line in the access-list should have any effect. The way it is written, would never be a source address while the acl is applied into the dmz. I would think you need to add a persistent route to the linux server, or you need to nat the source address from to a 192.168.5.x address.

New Member

Re: Can't SSH to Linux server IP in DMZ

Sorry, I pasted the wrong line. When I remove this:

static (inside,dmz) netmask

I can SSH to the DMZ IP fine but it breaks other DMZ servers.


Re: Can't SSH to Linux server IP in DMZ

The easiest thing to do with your current configuration would be to leave the static command in place. Then add a persistent route on the linux server which points to

Alternatively you could do(i think)....

no static (inside,dmz) netmask

nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended deny ip host host

access-list inside_nat0_outbound extended permit ip

nat (inside) 1 access-list nat_to_ssh_server

access-list nat_to_ssh_server extended permit ip host host

This should exempt all traffic between inside and dmz, except for communication between the ssh client and the ssh server. The policy nat statement will allow the ssh client to pat using the global (dmz) command.

New Member

Re: Can't SSH to Linux server IP in DMZ

Thanks for the replies acomiskey. I was finally able to get it to work with some trial and error with the ACLs. I had my conceptions of a DMZ server mixed up anyhow since I realized all our other DMZ servers only had IPs in the DMZ only and not in both subnets.

CreatePlease login to create content