Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

how to change default SSH port on ASA 5505 (port forwarding)

Hey guys,

So here is my network.

ASA5505--->Cisco1841--->Cat2960

Code

ASA asa831-k8.bin

Cisco 1841 c1841-adventerprisek9-mz.151-4.M2.bin

Cat 2960 c2960-lanbasek9-mz.122-55.SE1.bin

and here is my dilemma.

I can SSH from the internet to my ASA on default port 22, directly to my public IP.  I can SSH from the internet to my Cisco 1841 on port 2001. I can not however, SSH to my Cat 2960.  From what i can tell, on the Cat2960 i can't change the default port 22 for SSH to different port, just like i did on the Cisco 1841.  I looked to see if I can change the default port for SSH on he ASA, it does not look like this is an option.

The bottom line is that i want to be able to SSH to all three devices from the internet.  I only have one public IP.  As of now, what i can do is only SSH to the ASA on default port 22 directly to the public IP and Cisco 1841 on port 2001.  It appears that changing the default SSH port on Cat 2960 is not an option.  It also appears that I can't change the default SSH port on the ASA, if i could, i would and then i should be able to SSH to the Cat 2960 on port 22. No matter what i did on the ASA, it always listens on port 22 for SSH connections.

show asp table socket

TCP       001f549f  <<pub IP>>:22              0.0.0.0:*               LISTEN

how do i make it listen on different port?

Here is relevent config for SSH for cisco 1841 (port forwarding)

ON ASA

object network ROUTER

host 10.10.1.1

!

access-list ALLOW_FROM_OUTSIDE extended permit tcp any object ROUTER eq 2001

!

object network ROUTER

nat (inside,outside) static interface service tcp 2001 2001

!

access-group ALLOW_FROM_OUTSIDE in interface outside

!

ON CISCO 1841

ip ssh port 2001 rotary 1

line vty 0 4

rotary 1

1 ACCEPTED SOLUTION

Accepted Solutions

how to change default SSH port on ASA 5505 (port forwarding)

Hello Sebastian,

Lest say Switch Ip address you are going to ssh to is 192.168.1. 2

So the configuration should be like this.

object-network Switch

host 192.168.1.2

Object-service Real_ssh

service tcp source eq 22

Object-service Mapped_ssh

service tcp source eq 2222

access-list ALLOW_FROM_OUTSIDE permit tcp any host 192.168.1.2 eq 2222

nat (inside,outside) source static Switch Outside_IP_ASA interface tcp Real_ssh Mapped_ssh

This is what you are looking to do right?

Have a good one.

Please rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
28 REPLIES

how to change default SSH port on ASA 5505 (port forwarding)

Hello Sebastian,

Lest say Switch Ip address you are going to ssh to is 192.168.1. 2

So the configuration should be like this.

object-network Switch

host 192.168.1.2

Object-service Real_ssh

service tcp source eq 22

Object-service Mapped_ssh

service tcp source eq 2222

access-list ALLOW_FROM_OUTSIDE permit tcp any host 192.168.1.2 eq 2222

nat (inside,outside) source static Switch Outside_IP_ASA interface tcp Real_ssh Mapped_ssh

This is what you are looking to do right?

Have a good one.

Please rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

how to change default SSH port on ASA 5505 (port forwarding)

Hey there and thanks for your suggestions.

Here is what i currently have configured and i'm able to access my Cat2960 from the Internet via SSH

object network SWITCH

host 10.10.1.11

!

object service REAL_SSH

service tcp source eq ssh

!

object service MAPPED_SSH_TO_SWITCH

service tcp source eq 2002

!

access-list ALLOW_FROM_OUTSIDE extended permit tcp any object SWITCH eq ssh

!

nat (inside,outside) source static SWITCH interface service REAL_SSH MAPPED_SSH_TO_SWITCH

As you can see, couple of things are different comparing to your post.  Mainly, the access list "eq ssh" and not "eq 2002"

My understanding is that i neded to come into the ASA on port 22 and then be forwarded to port 2002.  When my access list was configured with "eq 2002" i saw the following error message,

Dec 03 2011 19:33:35: %ASA-4-106023: Deny tcp src outside:174.52.54.128/60556 dst inside:10.10.1.11/22 by access-group "ALLOW_FROM_OUTSIDE" [0x0, 0x0]

and of course, i was trying to ssh to <> 2002.

When i changed the ACL to "eq ssh" all started working.

Thanks for your suggestions.  It took me half a day to figure it out, but it is now done and working!!! Awesome

how to change default SSH port on ASA 5505 (port forwarding)

Hello Sebastian,

It is great to hear that everything is working fine now =)

Wow.I did not take enough attention to that ACL when I wrote down. Of course it got to be pointing to the real destination port, this because since 8.3 the Access list entries are taken or checked after the Nat statements.

Hope this helps and again sorry for the mistake lol.

Have a good one

Julio!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

how to change default SSH port on ASA 5505 (port forwarding)

Hello,

I was wondering if you can assist me with this issue again. So here is what happened. The issue described above has been resolved long time ago but then also config has changed. I have not saved the config and i'm unable to restore the SSH access to the Cisco 1841. Here is the set up.

ASA5505--->Cisco1841--->Cat2960

Code

ASA asa831-k8.bin

Cisco 1841 c1841-adventerprisek9-mz.151-4.M2.bin

Cat 2960 c2960-lanbasek9-mz.122-55.SE1.bin

Lets start with SSH issue to the router from the outside word. Here is my current config on the ASA for port forwarding so the router can be accessed via SSH.

relevant config on the router

ip ssh port 2001 rotary 1

line vty 0 4

rotary 1

relevant config on the asa

object network ROUTER

host 10.10.1.1

!

object service REAL_SSH

service tcp source eq ssh

!

object service MAPPED_SSH_TO_ROUTER

service tcp source eq 2001

!

access-list ALLOW_FROM_OUTSIDE extended permit tcp any object ROUTER eq ssh

!

nat (inside,outside) source static ROUTER interface service REAL_SSH MAPPED_SSH_TO_ROUTER

!

Here is my understanding of what should happen with the above config. as i ssh to the outside (public) ip port 2001, the NAT is checked and then ACL and routing decision is made. When the above config is applied, and i attempt to test my SSH access to Cisco 1841 i see no hits on the NAT rule or the ACL, the log however has the following message,

"TCP request discarded from 174.232.132.244/4653 to outside:50.73.41.25/2001"

Any thoughts?

Thanks in advance.

how to change default SSH port on ASA 5505 (port forwarding)

Hello Sebastian,

Very good you understood the configuration from last time.

Can you do the following:

packet-tracer input outside tcp 8.8.8.8 1025 outside_ip 2001

Remember to rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

how to change default SSH port on ASA 5505 (port forwarding)

Hi and thanks for quick response. Sorry, i mean to include the output of the packet tracer with my original post, just fogot to do it.

Here it is,

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in  <>     255.255.255.255 identity

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

as you can see, the flow is being dropped by ACL. I'm not sure why.

Here is a bit more config for additional NAT that i have on this ASA

nat (outside,outside) source dynamic SSL_VPN_CLIENTS interface

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static SSL_VPN_CLIENTS SSL_VPN_CLIENTS

nat (inside,outside) source static ROUTER interface service REAL_SSH MAPPED_SSH_TO_ROUTER

nat (inside,outside) dynamic interface

the VPN NAT works.

the above mentioned ACL, ALLOW_FROM_OUTSIDE in addition to the this line

access-list ALLOW_FROM_OUTSIDE line 3 extended permit tcp any object ROUTER eq ssh

only allows ICMP, nothing else is allowed.

Thanks

how to change default SSH port on ASA 5505 (port forwarding)

Hello Sebastian,

Make sure you can ping the router ip over the inside interface in order to check the routing.

A show route will help us.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

how to change default SSH port on ASA 5505 (port forwarding)

hello,

so yes, all of that looks good as well. Sorry for not posting it before.

show route inside

Gateway of last resort is x.x.x.x to network 0.0.0.0

O E2 10.10.1.0 255.255.255.0 [110/20] via 10.10.200.2, 1193:02:47, inside

O E2 10.10.2.0 255.255.255.0 [110/20] via 10.10.200.2, 1193:02:47, inside

O E2 10.10.3.0 255.255.255.0 [110/20] via 10.10.200.2, 1193:02:47, inside

O E2 10.0.0.1 255.255.255.255 [110/20] via 10.10.200.2, 1193:02:47, inside

C    10.10.200.0 255.255.255.252 is directly connected, inside

!

ping 10.10.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

how to change default SSH port on ASA 5505 (port forwarding)

Hello,

Can you post the entire configuration please

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: how to change default SSH port on ASA 5505 (port forwarding)

Hi,

Please see below.

fw-home01# show run

: Saved

:

ASA Version 8.3(1)

!

hostname fw-home01

domain-name sebastian.com

enable xxxxxxx

passwd xxxxxxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.10.200.1 255.255.255.252

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/1

speed 100

duplex full

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

boot system disk0:/asa831-k8.bin

ftp mode passive

clock timezone MTS -7

clock summer-time MST recurring

dns domain-lookup outside

dns server-group DefaultDNS

name-server 4.2.2.2

domain-name sebastian.com

same-security-traffic permit intra-interface

object network PAT_ANY

subnet 0.0.0.0 0.0.0.0

object network LOCAL_LAN

subnet 10.10.0.0 255.255.0.0

object network SSL_VPN_CLIENTS

subnet 172.16.16.0 255.255.255.0

object network ROUTER

host 10.10.1.1

object service MAPPED_SSH_TO_ROUTER

service tcp source eq 2001

object service REAL_SSH

service tcp source eq ssh

access-list ALLOW_FROM_OUTSIDE extended permit tcp any object ROUTER eq ssh

access-list NO_NAT_VPN extended permit ip 10.10.0.0 255.255.0.0 172.16.16.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging buffer-size 8092

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool SSL_VPN_CLIENTS 172.16.16.10-172.16.16.20 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

nat (outside,outside) source dynamic SSL_VPN_CLIENTS interface

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static SSL_VPN_CLIENTS SSL_VPN_CLIENTS

nat (inside,outside) source static ROUTER interface service REAL_SSH MAPPED_SSH_TO_ROUTER

!

object network PAT_ANY

nat (inside,outside) dynamic interface

access-group ALLOW_FROM_OUTSIDE in interface outside

!

router ospf 1

network 10.10.200.0 255.255.255.252 area 0

log-adj-changes

default-information originate

!

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

no crypto isakmp nat-traversal

no vpn-addr-assign dhcp

telnet 10.10.2.0 255.255.255.0 inside

telnet timeout 15

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

ssh version 2

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 204.123.2.5

ntp server 204.34.198.40

webvpn

enable inside

enable outside

svc image disk0:/anyconnect-win-2.5.6005-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy SSL_CLIENT_POLICY internal

group-policy SSL_CLIENT_POLICY attributes

dns-server value 8.8.8.8 4.2.2.2

vpn-tunnel-protocol svc

address-pools value SSL_VPN_CLIENTS

username xxxxxxx

username xxxxxxx

tunnel-group SSL_CLIENT_PROFILE type remote-access

tunnel-group SSL_CLIENT_PROFILE general-attributes

default-group-policy SSL_CLIENT_POLICY

tunnel-group SSL_CLIENT_PROFILE webvpn-attributes

group-alias HOME_VPN enable

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect pptp

  inspect http

  inspect ip-options

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:f8d03501537180042df91135e87d3b40

Re: how to change default SSH port on ASA 5505 (port forwarding)

Hello Sebastian,

What I though! A routing issue

object network ROUTER

host 10.10.1.1

And your ASA interface is on the subnet

ip address 10.10.200.1 255.255.255.252

The ASA does not know how to get to the  10.10.1.0 subnet

Remember to rate all the helpful posts.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: how to change default SSH port on ASA 5505 (port forwarding)

Hi there,

so routing should not be a problem, check out the output below. The asa knows of the destination 10.10.1.1 via OSPF from the Cisco 1841, it is 10.10.1.0/24 route. As you can see below, it can also ping the destination from its directly connected interface, 10.10.200.1.

show route inside

Gateway of last resort is x.x.x.x to network 0.0.0.0

O E2 10.10.1.0 255.255.255.0 [110/20] via 10.10.200.2, 1193:02:47, inside

O E2 10.10.2.0 255.255.255.0 [110/20] via 10.10.200.2, 1193:02:47, inside

O E2 10.10.3.0 255.255.255.0 [110/20] via 10.10.200.2, 1193:02:47, inside

O E2 10.0.0.1 255.255.255.255 [110/20] via 10.10.200.2, 1193:02:47, inside

C    10.10.200.0 255.255.255.252 is directly connected, inside

!

ping 10.10.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Re: how to change default SSH port on ASA 5505 (port forwarding)

Hello Sebastian,

Thanks for the output, I see what you mean...

Are you sure this is the packet tracer you are running?

packet-tracer input outside tcp 8.8.8.8 1025 outside_ip 2001

I dont see anything wrong on the configuration

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: how to change default SSH port on ASA 5505 (port forwarding)

Hi,

I don't see anything wrong with the config either, and yes the packet tracer is what i'm running.

Re: how to change default SSH port on ASA 5505 (port forwarding)

Hello Sebastian,

Well time for captures...

capture capout interface outside match tcp host_test  host interface_outside eq 2100

capture capin interface inside match tcp host_test host router_ip eq 21

cap asp type asp-drop all circular-buffer

The host_test is the one you use to attempt to connect., after you attemtp to connect provide me the following:

show cap capin

show cap capout

show cap asp | include host_test

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: how to change default SSH port on ASA 5505 (port forwarding)

Hi,

So yeah, i'm capturing the traffic on the outside  interface but i see nothing being caputered on the inside interface,  which makes sens because the flow is denied on the outside, for some  reason.  Here are the outputs.

capture capou interface outside match tcp host  65.130.164.80 host <> eq 2001

capture capout type raw-data interface outside [Capturing - 254 bytes]

  match tcp host 65.130.164.80 host <> eq 2001

!

capture capin interface inside match tcp host 65.130.164.80 host 10.10.1.1 eq 22

capture capin type raw-data [Capturing - 0 bytes]

  match tcp host 65.130.164.80 host 10.10.1.1 eq ssh

!

cap asp type asp-drop all circular-buffer

show cap asp | include 65.130.164.80

    1: 17:38:10.267228 802.1Q vlan#2 P0 65.130.164.80.49358 >  <>.2001: S 660698663:660698663(0) win  8192

   2:  17:38:13.269944 802.1Q vlan#2 P0 65.130.164.80.49358 >  <>.2001: S 660698663:660698663(0) win  8192

   3:  17:38:19.270585 802.1Q vlan#2 P0 65.130.164.80.49358 >  <>.2001: S 660698663:660698663(0) win  8192

162: 18:32:10.564103 802.1Q  vlan#2 P0 65.130.164.80.49459 > <>.2001: S 3707916984:3707916984(0) win 8192

163: 18:32:13.561021 802.1Q  vlan#2 P0 65.130.164.80.49459 > <>.2001: S 3707916984:3707916984(0) win 8192 Drop-reason: (acl-drop) Flow is  denied by configured rule

Re: how to change default SSH port on ASA 5505 (port forwarding)

Hello Sebastian,

Loved the last one, flow is denied by configured rule,

Gooood what are we misiiiiiing.....

object service MAPPED_SSH_TO_ROUTER

service tcp source eq 2001

object service REAL_SSH

service tcp source eq ssh

object network ROUTER

host 10.10.1.1

access-list ALLOW_FROM_OUTSIDE extended permit tcp any object ROUTER eq ssh

access-group ALLOW_FROM_OUTSIDE in interface outside

nat (inside,outside) source static ROUTER interface service REAL_SSH MAPPED_SSH_TO_ROUTER

Man.. I mean I think is time to save the configuration and do a reload.

Can you do that and let me know how it goes

Remember to rate all the answers, for the community that is as important as a thanks

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: how to change default SSH port on ASA 5505 (port forwarding)

hey,

help me review this, but i do have the right config in there. Also, i did do the reload last night, same result, no joy with the same output for the captures as well.

Fun one, isn't it?

just to double check, here is the config.

object service MAPPED_SSH_TO_ROUTER

service tcp source eq 2001

!

object service REAL_SSH

service tcp source eq ssh

!

object network ROUTER

host 10.10.1.1

!

nat (inside,outside) source static ROUTER interface service REAL_SSH MAPPED_SSH_TO_ROUTER

!

access-list ALLOW_FROM_OUTSIDE extended permit tcp any object ROUTER eq ssh

!

access-group ALLOW_FROM_OUTSIDE in interface outside

Re: how to change default SSH port on ASA 5505 (port forwarding)

Hello Sebastian,

That is correct, the router will expect connections on port 21 but the ASA will receive it on it's outside interface on port 2001....

Please review your inbox.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: how to change default SSH port on ASA 5505 (port forwarding)

not sure what is going on as of right now. I dont think this is a code issue, but i may just give it a shot and upgrade.

Re: how to change default SSH port on ASA 5505 (port forwarding)

Check your inbox

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: how to change default SSH port on ASA 5505 (port forwarding)

no sure what you mean?

Re: how to change default SSH port on ASA 5505 (port forwarding)

Private message in here

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: how to change default SSH port on ASA 5505 (port forwarding)

Hi, did you have a chance to check your private message?

Sent from Cisco Technical Support iPhone App

New Member

how to change default SSH port on ASA 5505 (port forwarding)

sorry for interrupting this thread, but is this also a procedure to use if you want ssh access from outside to inside / dmz and use port 2222 or 22222 or something like that?

New Member

Re: how to change default SSH port on ASA 5505 (port forwarding)

No interruption here :). Thanks for joining the thread. So yeah, sounds like you are trying to accomplish the same thing as I'm.

As of now, my port forwarding does not work. Give it a shot if you like, with similar config and see what results you get. I'm pretty sure that the config you find in this thread worked for me some time ago, then I removed and just recently wanted to implement it again, no joy as of now though! I did not save my previous config, so there is a chance what's in this thread is incorrect. At the same time, my config seems to be pretty accurate if you compare to recommended config for port forwarding.

Sent from Cisco Technical Support iPhone App

New Member

Re: how to change default SSH port on ASA 5505 (port forwarding)

I did resolve my issue, my nat was causing me grief. I will post the config here in couple of days

Sent from Cisco Technical Support iPhone App

New Member

Re: how to change default SSH port on ASA 5505 (port forwarding)

as i have mentioned before, my nat config was causing me problems. Here is the config that is now working. i have also added port forwarding for couple of other devcies as well as i passed gre through the ASA. I hope this will help in future.

object network PAT_ANY

subnet 0.0.0.0 0.0.0.0

!

object network LOCAL_LAN

range 10.10.1.0 10.10.3.255

!

object network SSL_VPN_CLIENTS

subnet 172.16.16.0 255.255.255.0

!

object network ROUTER

host 10.10.1.1

!

object service REAL_SSH

service tcp source eq ssh

!

object service MAPPED_SSH_TO_ROUTER

service tcp source eq 2001

!

object network SWITCH

host 10.10.1.11

!

object service MAPPED_SSH_TO_SWITCH

service tcp source eq 2002

!

object network RDP

host 10.10.2.21

!

object service REAL_RDP

service tcp source eq 3389

!

object service MAPPED_RDP_TO_RDP

service tcp source eq 3389

!

object network ACCESS_POINT_SSH

host 10.10.1.20

!

object service MAPPED_SSH_TO_ACCESS_POINT_SSH

service tcp source eq 2003

!

object network GRE

host 10.10.200.2

!

!

access-list ALLOW_OUTSIDE_IN extended deny ip host 222.76.244.242 any

access-list ALLOW_OUTSIDE_IN extended deny ip host 202.117.3.104 any

access-list ALLOW_OUTSIDE_IN extended permit ip host 66.220.18.42 object IPV6_HOST

access-list ALLOW_OUTSIDE_IN extended permit tcp any object SWITCH eq ssh

access-list ALLOW_OUTSIDE_IN extended permit tcp any object ROUTER eq ssh

access-list ALLOW_OUTSIDE_IN extended permit tcp any object RDP eq 3389 inactive

access-list ALLOW_OUTSIDE_IN extended permit gre any object GRE

!

access-group ALLOW_OUTSIDE_IN in interface outside

!

nat (inside,outside) source static ROUTER interface service REAL_SSH MAPPED_SSH_TO_ROUTER

nat (inside,outside) source static SWITCH interface service REAL_SSH MAPPED_SSH_TO_SWITCH

nat (inside,outside) source static RDP interface service REAL_RDP MAPPED_RDP_TO_RDP inactive

nat (inside,outside) source static HTTPS interface service REAL_HTTPS MAPPED_HTTPS_TO_HTTP

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static SSL_VPN_CLIENTS SSL_VPN_CLIENTS no-proxy-arp route-lookup

nat (outside,outside) source dynamic SSL_VPN_CLIENTS interface

!

object network PAT_ANY

nat (inside,outside) dynamic interface

object network GRE

nat (inside,outside) static interface

object network IPV6_HOST

nat (inside,outside) static interface

!

7585
Views
0
Helpful
28
Replies
CreatePlease login to create content