I'm trying to SSH from 192.168.1.240 to 192.168.5.23 but not having any luck. The Linux server has two NICs, one is 192.168.5.23 and the other is 192.168.7.16. The default gateway for this server is set to 192.168.7.1. If I set the default gateway on it to 192.168.5.1 then I can SSH fine to 192.168.5.23 but not to 192.168.7.16.
With the config as it is if I remove the following then it works, but breaks services for other servers in the DMZ:
access-list dmz_acl extended permit ip 192.168.1.0 255.255.255.0 any
SSH from a server in the DMZ to the DMZ IP of the Linux server works fine of course.
I'm sure I'm missing something obvious but I'm no Cisco firewall expert quite yet.
I don't see how removing that line in the access-list should have any effect. The way it is written, 192.168.1.0/24 would never be a source address while the acl is applied into the dmz. I would think you need to add a persistent route to the linux server, or you need to nat the source address from 192.168.1.240 to a 192.168.5.x address.
The easiest thing to do with your current configuration would be to leave the static command in place. Then add a persistent route on the linux server which points 192.168.1.0/24 to 192.168.5.1.
Alternatively you could do(i think)....
no static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
access-list inside_nat0_outbound extended deny ip host host 192.168.5.23
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
nat (inside) 1 access-list nat_to_ssh_server
access-list nat_to_ssh_server extended permit ip host host 192.168.5.23
This should exempt all traffic between inside and dmz, except for communication between the ssh client and the ssh server. The policy nat statement will allow the ssh client to pat using the global (dmz) command.
Thanks for the replies acomiskey. I was finally able to get it to work with some trial and error with the ACLs. I had my conceptions of a DMZ server mixed up anyhow since I realized all our other DMZ servers only had IPs in the DMZ only and not in both subnets.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :