Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can't SSH to Linux server IP in DMZ

I'm trying to SSH from 192.168.1.240 to 192.168.5.23 but not having any luck. The Linux server has two NICs, one is 192.168.5.23 and the other is 192.168.7.16. The default gateway for this server is set to 192.168.7.1. If I set the default gateway on it to 192.168.5.1 then I can SSH fine to 192.168.5.23 but not to 192.168.7.16.

With the config as it is if I remove the following then it works, but breaks services for other servers in the DMZ:

access-list dmz_acl extended permit ip 192.168.1.0 255.255.255.0 any

SSH from a server in the DMZ to the DMZ IP of the Linux server works fine of course.

I'm sure I'm missing something obvious but I'm no Cisco firewall expert quite yet.

Thanks for any help.

4 REPLIES
Green

Re: Can't SSH to Linux server IP in DMZ

I don't see how removing that line in the access-list should have any effect. The way it is written, 192.168.1.0/24 would never be a source address while the acl is applied into the dmz. I would think you need to add a persistent route to the linux server, or you need to nat the source address from 192.168.1.240 to a 192.168.5.x address.

New Member

Re: Can't SSH to Linux server IP in DMZ

Sorry, I pasted the wrong line. When I remove this:

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

I can SSH to the DMZ IP fine but it breaks other DMZ servers.

Green

Re: Can't SSH to Linux server IP in DMZ

The easiest thing to do with your current configuration would be to leave the static command in place. Then add a persistent route on the linux server which points 192.168.1.0/24 to 192.168.5.1.

Alternatively you could do(i think)....

no static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended deny ip host host 192.168.5.23

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

nat (inside) 1 access-list nat_to_ssh_server

access-list nat_to_ssh_server extended permit ip host host 192.168.5.23

This should exempt all traffic between inside and dmz, except for communication between the ssh client and the ssh server. The policy nat statement will allow the ssh client to pat using the global (dmz) command.

New Member

Re: Can't SSH to Linux server IP in DMZ

Thanks for the replies acomiskey. I was finally able to get it to work with some trial and error with the ACLs. I had my conceptions of a DMZ server mixed up anyhow since I realized all our other DMZ servers only had IPs in the DMZ only and not in both subnets.

832
Views
4
Helpful
4
Replies
CreatePlease login to create content