Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

PAT ASA 5520

Hi guys,

I have to configure a Cisco ASA 5520. The goal is to forward the traffic arriving to the port 400 of the OUTSIDE interface to the port 22 of a server behind the INTERNAL interface (Ip 192.168.1.1). So far quite easy... at least on every firewall I've configured so far.

To do that, I have performed the following tasks:

1. I have setup the INSIDE interface with security level 100 and OUTSIDE with security level 0.

2. I have created an access rule on the firewall via ADSM 6.4 in order to allow the traffic to pass trought the firewall from OUTSIDE to INSIDE (specifying the source ip, of course).

3. I have created a static NAT rule to forward all the traffic arriving from that particular host and destinated to the OUTSIDE interface (port 400) to be forwarded to the INSIDE interface (port 22).

I expected it to be enough but all the packets are discarded by the implicit incoming rule on the OUTSIDE interface. Can you please help mi find out what's wrong on my configuration?

Thanks in advance,

Dario

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Red

PAT ASA 5520

Nope I dont think so, after going through your requirements, this is what you would need:

access-list OUTSIDE_access_in extended permit ip any interface OUTSIDE eq 400

access-group OUTSIDE_access_in in interface OUTSIDE

static (INTERNAL,OUTSIDE)) tcp interface 400  APVI1 ssh netmask 255.255.255.255

This configuration is for, if anyone on the internet wants to access the server, the request would come on port 400 on outisde interface and woudl get translated to the inside server on port 22. I am not sure what IP is CHECKPOINT_FW?? Since it is not given in the configuration above.

You can try the above and it would work.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
8 REPLIES

PAT ASA 5520

Please note that the traffic passing through is ssh.

Red

PAT ASA 5520

Hi Dario,

You forgot to mention the software version on the ASA, if it is 8.3 or higher, please make sure you allow the private ip of your server on the ACL configured on the OUTSIDE interface, because there is a syntax change in those codes. And also if you can share the configuration that you've done so far for the server.

Hope that helps.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC

PAT ASA 5520

Hi Varun,

The ASA Version is 8.2(5). Here below the part of the configuration we are talking about (created by ADSM):

interface GigabitEthernet0/0

nameif OUTSIDE

security-level 0

ip address 210.193.170.26 255.255.255.248

!

interface GigabitEthernet0/2

nameif INTERNAL

security-level 100

ip address 192.168.1.1 255.255.255.0

!

object-group service MYSERVICE tcp

port-object eq 400

object-group network INT1

access-list OUTSIDE_access_in extended permit ip host CHECKPOINT_FW 192.168.1.0 255.255.255.0

global (OUTSIDE) 1 interface

nat (INTERNAL) 1 192.168.1.0 255.255.255.0

static (OUTSIDE,INTERNAL) tcp APVI1 ssh CHECKPOINT_FW 400 netmask 255.255.255.255

access-group OUTSIDE_access_in in interface OUTSIDE

route OUTSIDE 0.0.0.0 0.0.0.0 CHECKPOINT_FW 1

Does it make sense?

thanks,

Dario

Red

PAT ASA 5520

Nope I dont think so, after going through your requirements, this is what you would need:

access-list OUTSIDE_access_in extended permit ip any interface OUTSIDE eq 400

access-group OUTSIDE_access_in in interface OUTSIDE

static (INTERNAL,OUTSIDE)) tcp interface 400  APVI1 ssh netmask 255.255.255.255

This configuration is for, if anyone on the internet wants to access the server, the request would come on port 400 on outisde interface and woudl get translated to the inside server on port 22. I am not sure what IP is CHECKPOINT_FW?? Since it is not given in the configuration above.

You can try the above and it would work.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC

PAT ASA 5520

Hi Varum,

I have replaced the IP with a generic "CHECKPOINT_FW" because it is a public IP and I cannot risk to put any sensible data of my customer in the internet :-).

I will try your config in a few minutes and I let you know.

Thanks,

Dario

Red

PAT ASA 5520

sure i'll wait for your update.

Varun

Thanks, Varun Rao Security Team, Cisco TAC

PAT ASA 5520

It worked perfectly. Just the "eq 400" gives me a syntax error. Now I just have to restrict the access from the port 400 of CHECKPOINT_FW and everything will be perfect.

I've spent all the day with ASDM and I think I will use it only to chack the logs.

Thank you a lot for your help.

Dario

Red

PAT ASA 5520

Hey thats good to know, all the best. Let me know if you face any further issues.

Take care,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
737
Views
0
Helpful
8
Replies
CreatePlease to create content