ISR with NAT behind a ASA with NAT - TCP port changes
Hi I have an ISR in a DMZ behind an ASA, both are doing NAT. The ISR is the VPN tunnel termination point to remote sites, but I do need to SSH into it if the internet goes down (in the cloud). My issue is I need to SSH to the outside interface of the ISR and I am using NAT overload for the inside networks going through the interface, but no static PAT mapping. The ACL's are in place on the ISR and ASA, but the ISR is randomizing TCP ports due to NAT, and the ASA kills the connection as the conversation is not in it's NAT table.
What I wanted to know is if there is anyway to allow SSH to the outside interface of the ISR with NAT, or not change the TCP port numbers on outbound traffic?
I need to somehow add the ip of the outside address 192.168.10.1 to allow SSH in and not have the above NAT change the source port number, can I add a 192.168.10.1 eq 22 192.168.10.1 eq 22 or something?
Re: ISR with NAT behind a ASA with NAT - TCP port changes
We have an ACL that works on the ASA, traffic passes through, the issue is the ISR is also Natting with no static for its' outside interface. When it receives the traffic from the outside it changes the source tcp port on the reply packet (due to NAT) and the ASA recevied it and cannot put the SYN SYN-ACK conversation together as one stream and drops the packet.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...