Hey there and thanks for your suggestions.

Here is what i currently have configured and i'm able to access my Cat2960 from the Internet via SSH

object network SWITCH

host 10.10.1.11

!

object service REAL_SSH

service tcp source eq ssh

!

object service MAPPED_SSH_TO_SWITCH

service tcp source eq 2002

!

access-list ALLOW_FROM_OUTSIDE extended permit tcp any object SWITCH eq ssh

!

nat (inside,outside) source static SWITCH interface service REAL_SSH MAPPED_SSH_TO_SWITCH

As you can see, couple of things are different comparing to your post.  Mainly, the access list "eq ssh" and not "eq 2002"

My understanding is that i neded to come into the ASA on port 22 and then be forwarded to port 2002.  When my access list was configured with "eq 2002" i saw the following error message,

Dec 03 2011 19:33:35: %ASA-4-106023: Deny tcp src outside:174.52.54.128/60556 dst inside:10.10.1.11/22 by access-group "ALLOW_FROM_OUTSIDE" [0x0, 0x0]

and of course, i was trying to ssh to <> 2002.

When i changed the ACL to "eq ssh" all started working.

Thanks for your suggestions.  It took me half a day to figure it out, but it is now done and working!!! Awesome

Hello Sebastian,

It is great to hear that everything is working fine now =)

Wow.I did not take enough attention to that ACL when I wrote down. Of course it got to be pointing to the real destination port, this because since 8.3 the Access list entries are taken or checked after the Nat statements.

Hope this helps and again sorry for the mistake lol.

Have a good one

Julio!!

Hello,

I was wondering if you can assist me with this issue again. So here is what happened. The issue described above has been resolved long time ago but then also config has changed. I have not saved the config and i'm unable to restore the SSH access to the Cisco 1841. Here is the set up.

ASA5505--->Cisco1841--->Cat2960

Code

ASA asa831-k8.bin

Cisco 1841 c1841-adventerprisek9-mz.151-4.M2.bin

Cat 2960 c2960-lanbasek9-mz.122-55.SE1.bin

Lets start with SSH issue to the router from the outside word. Here is my current config on the ASA for port forwarding so the router can be accessed via SSH.

relevant config on the router

ip ssh port 2001 rotary 1

line vty 0 4

rotary 1

relevant config on the asa

object network ROUTER

host 10.10.1.1

!

object service REAL_SSH

service tcp source eq ssh

!

object service MAPPED_SSH_TO_ROUTER

service tcp source eq 2001

!

access-list ALLOW_FROM_OUTSIDE extended permit tcp any object ROUTER eq ssh

!

nat (inside,outside) source static ROUTER interface service REAL_SSH MAPPED_SSH_TO_ROUTER

!

Here is my understanding of what should happen with the above config. as i ssh to the outside (public) ip port 2001, the NAT is checked and then ACL and routing decision is made. When the above config is applied, and i attempt to test my SSH access to Cisco 1841 i see no hits on the NAT rule or the ACL, the log however has the following message,

"TCP request discarded from 174.232.132.244/4653 to outside:50.73.41.25/2001"

Any thoughts?

Thanks in advance.

Hello Sebastian,

Very good you understood the configuration from last time.

Can you do the following:

packet-tracer input outside tcp 8.8.8.8 1025 outside_ip 2001

Remember to rate all the helpful posts

Hi and thanks for quick response. Sorry, i mean to include the output of the packet tracer with my original post, just fogot to do it.

Here it is,

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in  <>     255.255.255.255 identity

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

as you can see, the flow is being dropped by ACL. I'm not sure why.

Here is a bit more config for additional NAT that i have on this ASA

nat (outside,outside) source dynamic SSL_VPN_CLIENTS interface

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static SSL_VPN_CLIENTS SSL_VPN_CLIENTS

nat (inside,outside) source static ROUTER interface service REAL_SSH MAPPED_SSH_TO_ROUTER

nat (inside,outside) dynamic interface

the VPN NAT works.

the above mentioned ACL, ALLOW_FROM_OUTSIDE in addition to the this line

access-list ALLOW_FROM_OUTSIDE line 3 extended permit tcp any object ROUTER eq ssh

only allows ICMP, nothing else is allowed.

Thanks

Hello Sebastian,

Make sure you can ping the router ip over the inside interface in order to check the routing.

A show route will help us.

Regards,

hello,

so yes, all of that looks good as well. Sorry for not posting it before.

show route inside

Gateway of last resort is x.x.x.x to network 0.0.0.0

O E2 10.10.1.0 255.255.255.0 [110/20] via 10.10.200.2, 1193:02:47, inside

O E2 10.10.2.0 255.255.255.0 [110/20] via 10.10.200.2, 1193:02:47, inside

O E2 10.10.3.0 255.255.255.0 [110/20] via 10.10.200.2, 1193:02:47, inside

O E2 10.0.0.1 255.255.255.255 [110/20] via 10.10.200.2, 1193:02:47, inside

C    10.10.200.0 255.255.255.252 is directly connected, inside

!

ping 10.10.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Hello,

Can you post the entire configuration please

Hi,

Please see below.

fw-home01# show run

: Saved

:

ASA Version 8.3(1)

!

hostname fw-home01

domain-name sebastian.com

enable xxxxxxx

passwd xxxxxxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.10.200.1 255.255.255.252

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/1

speed 100

duplex full

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

boot system disk0:/asa831-k8.bin

ftp mode passive

clock timezone MTS -7

clock summer-time MST recurring

dns domain-lookup outside

dns server-group DefaultDNS

name-server 4.2.2.2

domain-name sebastian.com

same-security-traffic permit intra-interface

object network PAT_ANY

subnet 0.0.0.0 0.0.0.0

object network LOCAL_LAN

subnet 10.10.0.0 255.255.0.0

object network SSL_VPN_CLIENTS

subnet 172.16.16.0 255.255.255.0

object network ROUTER

host 10.10.1.1

object service MAPPED_SSH_TO_ROUTER

service tcp source eq 2001

object service REAL_SSH

service tcp source eq ssh

access-list ALLOW_FROM_OUTSIDE extended permit tcp any object ROUTER eq ssh

access-list NO_NAT_VPN extended permit ip 10.10.0.0 255.255.0.0 172.16.16.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging buffer-size 8092

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool SSL_VPN_CLIENTS 172.16.16.10-172.16.16.20 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

nat (outside,outside) source dynamic SSL_VPN_CLIENTS interface

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static SSL_VPN_CLIENTS SSL_VPN_CLIENTS

nat (inside,outside) source static ROUTER interface service REAL_SSH MAPPED_SSH_TO_ROUTER

!

object network PAT_ANY

nat (inside,outside) dynamic interface

access-group ALLOW_FROM_OUTSIDE in interface outside

!

router ospf 1

network 10.10.200.0 255.255.255.252 area 0

log-adj-changes

default-information originate

!

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

no crypto isakmp nat-traversal

no vpn-addr-assign dhcp

telnet 10.10.2.0 255.255.255.0 inside

telnet timeout 15

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

ssh version 2

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 204.123.2.5

ntp server 204.34.198.40

webvpn

enable inside

enable outside

svc image disk0:/anyconnect-win-2.5.6005-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy SSL_CLIENT_POLICY internal

group-policy SSL_CLIENT_POLICY attributes

dns-server value 8.8.8.8 4.2.2.2

vpn-tunnel-protocol svc

address-pools value SSL_VPN_CLIENTS

username xxxxxxx

username xxxxxxx

tunnel-group SSL_CLIENT_PROFILE type remote-access

tunnel-group SSL_CLIENT_PROFILE general-attributes

default-group-policy SSL_CLIENT_POLICY

tunnel-group SSL_CLIENT_PROFILE webvpn-attributes

group-alias HOME_VPN enable

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect pptp

  inspect http

  inspect ip-options

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:f8d03501537180042df91135e87d3b40

Hello Sebastian,

What I though! A routing issue

object network ROUTER

host 10.10.1.1

And your ASA interface is on the subnet

ip address 10.10.200.1 255.255.255.252

The ASA does not know how to get to the  10.10.1.0 subnet

Remember to rate all the helpful posts.

Hi there,

so routing should not be a problem, check out the output below. The asa knows of the destination 10.10.1.1 via OSPF from the Cisco 1841, it is 10.10.1.0/24 route. As you can see below, it can also ping the destination from its directly connected interface, 10.10.200.1.

show route inside

Gateway of last resort is x.x.x.x to network 0.0.0.0

O E2 10.10.1.0 255.255.255.0 [110/20] via 10.10.200.2, 1193:02:47, inside

O E2 10.10.2.0 255.255.255.0 [110/20] via 10.10.200.2, 1193:02:47, inside

O E2 10.10.3.0 255.255.255.0 [110/20] via 10.10.200.2, 1193:02:47, inside

O E2 10.0.0.1 255.255.255.255 [110/20] via 10.10.200.2, 1193:02:47, inside

C    10.10.200.0 255.255.255.252 is directly connected, inside

!

ping 10.10.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Hello Sebastian,

Thanks for the output, I see what you mean...

Are you sure this is the packet tracer you are running?

packet-tracer input outside tcp 8.8.8.8 1025 outside_ip 2001

I dont see anything wrong on the configuration

Regards

Hi,

I don't see anything wrong with the config either, and yes the packet tracer is what i'm running.