Solved: Re: how to change default SSH port on ASA 5505 (port forwarding) - Page 2

sebastianpotok · ‎12-03-2011

Hey guys,

So here is my network.

ASA5505--->Cisco1841--->Cat2960

Code

ASA asa831-k8.bin

Cisco 1841 c1841-adventerprisek9-mz.151-4.M2.bin

Cat 2960 c2960-lanbasek9-mz.122-55.SE1.bin

and here is my dilemma.

I can SSH from the internet to my ASA on default port 22, directly to my public IP. I can SSH from the internet to my Cisco 1841 on port 2001. I can not however, SSH to my Cat 2960. From what i can tell, on the Cat2960 i can't change the default port 22 for SSH to different port, just like i did on the Cisco 1841. I looked to see if I can change the default port for SSH on he ASA, it does not look like this is an option.

The bottom line is that i want to be able to SSH to all three devices from the internet. I only have one public IP. As of now, what i can do is only SSH to the ASA on default port 22 directly to the public IP and Cisco 1841 on port 2001. It appears that changing the default SSH port on Cat 2960 is not an option. It also appears that I can't change the default SSH port on the ASA, if i could, i would and then i should be able to SSH to the Cat 2960 on port 22. No matter what i did on the ASA, it always listens on port 22 for SSH connections.

show asp table socket

TCP 001f549f <<pub IP>>:22 0.0.0.0:* LISTEN

how do i make it listen on different port?

Here is relevent config for SSH for cisco 1841 (port forwarding)

ON ASA

object network ROUTER

host 10.10.1.1

!

access-list ALLOW_FROM_OUTSIDE extended permit tcp any object ROUTER eq 2001

!

object network ROUTER

nat (inside,outside) static interface service tcp 2001 2001

!

access-group ALLOW_FROM_OUTSIDE in interface outside

!

ON CISCO 1841

ip ssh port 2001 rotary 1

line vty 0 4

rotary 1

Julio Carvajal · ‎09-06-2012

Hello Sebastian,

Well time for captures...

capture capout interface outside match tcp host_test host interface_outside eq 2100

capture capin interface inside match tcp host_test host router_ip eq 21

cap asp type asp-drop all circular-buffer

The host_test is the one you use to attempt to connect., after you attemtp to connect provide me the following:

show cap capin

show cap capout

show cap asp | include host_test

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

sebastianpotok · ‎09-06-2012

Hi,

So yeah, i'm capturing the traffic on the outside interface but i see nothing being caputered on the inside interface, which makes sens because the flow is denied on the outside, for some reason. Here are the outputs.

capture capou interface outside match tcp host 65.130.164.80 host <> eq 2001

capture capout type raw-data interface outside [Capturing - 254 bytes]

match tcp host 65.130.164.80 host <> eq 2001

!

capture capin interface inside match tcp host 65.130.164.80 host 10.10.1.1 eq 22

capture capin type raw-data [Capturing - 0 bytes]

match tcp host 65.130.164.80 host 10.10.1.1 eq ssh

!

cap asp type asp-drop all circular-buffer

show cap asp | include 65.130.164.80

1: 17:38:10.267228 802.1Q vlan#2 P0 65.130.164.80.49358 > <>.2001: S 660698663:660698663(0) win 8192

2: 17:38:13.269944 802.1Q vlan#2 P0 65.130.164.80.49358 > <>.2001: S 660698663:660698663(0) win 8192

3: 17:38:19.270585 802.1Q vlan#2 P0 65.130.164.80.49358 > <>.2001: S 660698663:660698663(0) win 8192

162: 18:32:10.564103 802.1Q vlan#2 P0 65.130.164.80.49459 > <>.2001: S 3707916984:3707916984(0) win 8192

163: 18:32:13.561021 802.1Q vlan#2 P0 65.130.164.80.49459 > <>.2001: S 3707916984:3707916984(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule

Julio Carvajal · ‎09-06-2012

Hello Sebastian,

Loved the last one, flow is denied by configured rule,

Gooood what are we misiiiiiing.....

object service MAPPED_SSH_TO_ROUTER

service tcp source eq 2001

object service REAL_SSH

service tcp source eq ssh

object network ROUTER

host 10.10.1.1

access-list ALLOW_FROM_OUTSIDE extended permit tcp any object ROUTER eq ssh

access-group ALLOW_FROM_OUTSIDE in interface outside

nat (inside,outside) source static ROUTER interface service REAL_SSH MAPPED_SSH_TO_ROUTER

Man.. I mean I think is time to save the configuration and do a reload.

Can you do that and let me know how it goes

Remember to rate all the answers, for the community that is as important as a thanks

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

sebastianpotok · ‎09-07-2012

hey,

help me review this, but i do have the right config in there. Also, i did do the reload last night, same result, no joy with the same output for the captures as well.

Fun one, isn't it?

just to double check, here is the config.

object service MAPPED_SSH_TO_ROUTER

service tcp source eq 2001

!

object service REAL_SSH

service tcp source eq ssh

!

object network ROUTER

host 10.10.1.1

!

nat (inside,outside) source static ROUTER interface service REAL_SSH MAPPED_SSH_TO_ROUTER

!

access-list ALLOW_FROM_OUTSIDE extended permit tcp any object ROUTER eq ssh

!

access-group ALLOW_FROM_OUTSIDE in interface outside

Julio Carvajal · ‎09-07-2012

Hello Sebastian,

That is correct, the router will expect connections on port 21 but the ASA will receive it on it's outside interface on port 2001....

Please review your inbox.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

sebastianpotok · ‎09-08-2012

not sure what is going on as of right now. I dont think this is a code issue, but i may just give it a shot and upgrade.

Julio Carvajal · ‎09-08-2012

Check your inbox

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

sebastianpotok · ‎09-08-2012

no sure what you mean?

Julio Carvajal · ‎09-08-2012

Private message in here

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

sebastianpotok · ‎09-25-2012

Hi, did you have a chance to check your private message?

Sent from Cisco Technical Support iPhone App

Trond Husoe · ‎09-28-2012

sorry for interrupting this thread, but is this also a procedure to use if you want ssh access from outside to inside / dmz and use port 2222 or 22222 or something like that?

sebastianpotok · ‎09-30-2012

No interruption here :). Thanks for joining the thread. So yeah, sounds like you are trying to accomplish the same thing as I'm.

As of now, my port forwarding does not work. Give it a shot if you like, with similar config and see what results you get. I'm pretty sure that the config you find in this thread worked for me some time ago, then I removed and just recently wanted to implement it again, no joy as of now though! I did not save my previous config, so there is a chance what's in this thread is incorrect. At the same time, my config seems to be pretty accurate if you compare to recommended config for port forwarding.

Sent from Cisco Technical Support iPhone App

sebastianpotok · ‎10-01-2012

I did resolve my issue, my nat was causing me grief. I will post the config here in couple of days

Sent from Cisco Technical Support iPhone App

sebastianpotok · ‎10-13-2012

as i have mentioned before, my nat config was causing me problems. Here is the config that is now working. i have also added port forwarding for couple of other devcies as well as i passed gre through the ASA. I hope this will help in future.

object network PAT_ANY

subnet 0.0.0.0 0.0.0.0

!

object network LOCAL_LAN

range 10.10.1.0 10.10.3.255

!

object network SSL_VPN_CLIENTS

subnet 172.16.16.0 255.255.255.0

!

object network ROUTER

host 10.10.1.1

!

object service REAL_SSH

service tcp source eq ssh

!

object service MAPPED_SSH_TO_ROUTER

service tcp source eq 2001

!

object network SWITCH

host 10.10.1.11

!

object service MAPPED_SSH_TO_SWITCH

service tcp source eq 2002

!

object network RDP

host 10.10.2.21

!

object service REAL_RDP

service tcp source eq 3389

!

object service MAPPED_RDP_TO_RDP

service tcp source eq 3389

!

object network ACCESS_POINT_SSH

host 10.10.1.20

!

object service MAPPED_SSH_TO_ACCESS_POINT_SSH

service tcp source eq 2003

!

object network GRE

host 10.10.200.2

!

access-list ALLOW_OUTSIDE_IN extended deny ip host 222.76.244.242 any

access-list ALLOW_OUTSIDE_IN extended deny ip host 202.117.3.104 any

access-list ALLOW_OUTSIDE_IN extended permit ip host 66.220.18.42 object IPV6_HOST

access-list ALLOW_OUTSIDE_IN extended permit tcp any object SWITCH eq ssh

access-list ALLOW_OUTSIDE_IN extended permit tcp any object ROUTER eq ssh

access-list ALLOW_OUTSIDE_IN extended permit tcp any object RDP eq 3389 inactive

access-list ALLOW_OUTSIDE_IN extended permit gre any object GRE

!

access-group ALLOW_OUTSIDE_IN in interface outside

!

nat (inside,outside) source static ROUTER interface service REAL_SSH MAPPED_SSH_TO_ROUTER

nat (inside,outside) source static SWITCH interface service REAL_SSH MAPPED_SSH_TO_SWITCH

nat (inside,outside) source static RDP interface service REAL_RDP MAPPED_RDP_TO_RDP inactive

nat (inside,outside) source static HTTPS interface service REAL_HTTPS MAPPED_HTTPS_TO_HTTP

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static SSL_VPN_CLIENTS SSL_VPN_CLIENTS no-proxy-arp route-lookup

nat (outside,outside) source dynamic SSL_VPN_CLIENTS interface

!

object network PAT_ANY

nat (inside,outside) dynamic interface

object network GRE

nat (inside,outside) static interface

object network IPV6_HOST

nat (inside,outside) static interface

!