Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Port forwarding not working despite correct configuration?

Our ASA-5505 has a single outside IP, and dynamic NAT for the LAN is working fine. I set up a static NAT rule for the outside IP to our internal SSH server and created an ACL that allows external connections to connect to the SSH port on the external IP so that the SSH port on the ASA-5505 is forwarded to the internal server. However, when I try to SSH from an external host, the connection times out, and the ASA logs that the connection is denied due to an ACL. To create this configuration I followed the Getting Started Guide and found several relevant guides both on Cisco.com and around the Internet, but the port forwarding isn't working and I'm pulling my hair out as to why the ACL which I already explicitly created isn't working. Here's the relevant config lines; if you need more information please reply.

access-list outside_access_in extended permit tcp any host X.X.X.X eq ssh log

static (inside,outside) X.X.X.X 192.168.18.51 netmask 255.255.255.255

access-group outside_access_in in interface outside

I sanitized the external IP to X.X.X.X for privacy.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Green

Re: Port forwarding not working despite correct configuration?

If x.x.x.x is outside interface address on ASA then you need to do this...

static (inside,outside) tcp interface 22 192.168.18.51 22 netmask 255.255.255.255

access-list outside_in permit tcp any interface eq 22

access-group outside_ in in interface outside

Green

Re: Port forwarding not working despite correct configuration?

If x.x.x.x is outside interface then you actually need to use the word "interface" in the static and acl, not x.x.x.x.

4 REPLIES
Green

Re: Port forwarding not working despite correct configuration?

If x.x.x.x is outside interface address on ASA then you need to do this...

static (inside,outside) tcp interface 22 192.168.18.51 22 netmask 255.255.255.255

access-list outside_in permit tcp any interface eq 22

access-group outside_ in in interface outside

Community Member

Re: Port forwarding not working despite correct configuration?

static (inside,outside) tcp X.X.X.X ssh 192.168.18.51 ssh netmask 255.255.255.255

Didn't change the ACL, and I still get:

TCP access denied by ACL from to outside:X.X.X.X/22

In the logs.

Green

Re: Port forwarding not working despite correct configuration?

If x.x.x.x is outside interface then you actually need to use the word "interface" in the static and acl, not x.x.x.x.

Community Member

Re: Port forwarding not working despite correct configuration?

Ah, excellent. Now everything is working. Thanks a ton!

221
Views
0
Helpful
4
Replies
CreatePlease to create content