11-28-2013 02:52 AM - edited 03-12-2019 06:05 PM
Hi, I'm stuck!
I can't seem to get port forwarding to work. I want a server in the internal network (192.168.2.39) to be accessible from the outside.
I've added a static NAT rule
Interface: inside
Source: 192.168.2.39
Translated
Interface: Outside
Used Interface IP Address
Port Address Translation (PAT)
Protocol: TCP
Original Port: 22
Translated Port: 22
And a Access rule
Interface: outside
Action: Permit
Source: any
Destination: My WAN ip address
Service: ssh/22
Enable Logging: Checked
But I get no hits when I try to connect to my server in the internal network from outside. What am I doing wrong?
Obviously I'm totally new to this!
While I'm at it I would like to make the IP address of the server (192.168.2.39) static, is it possible to make the dhcp lease infinite for (192.168.2.39) or is there a better way to do it ?
Appreciate any help
Thanks in advance
Best regards
\L
Solved! Go to Solution.
11-30-2013 08:48 AM
More information is needed, please post the configuration
Value our effort and rate the assistance!
12-01-2013 08:02 PM
I get your point on the documentation what I need is the NAT rule configuration if not I don´t know how you are configuring it, or if there are other NAT rules affecting it, or or or or get my point we need the config.
If you cannot post any further detail please open a TAC case-
Value our effort and rate the assistance!
12-02-2013 02:34 AM
Hi,
If you want the CLI format configuration from the ASDM then you should be able to get it like this
Tools - menu (at the top) -> Command Line Interface -> Type show run in the command field -> Press the Send -button -> Copy/Paste the output here
Remember to remove/mask any sensitive information
- Jouni
12-02-2013 02:50 AM
Hi,
First of all, one thing to consider here is the fact that ASA also allows management connection through SSH though you dont seem to be using it. What I mean is that if you have any plans to manage the ASA through SSH from the external network then you would be better of changing this Static PAT (Port Forward) configurations public port to something else than the default TCP/22. This would leave you room to start using SSH at some point from the external network.
The Static PAT (Port Forward) configuration and the ACL that will allow the traffic could be accomplished in the following way
static (inside,outside) tcp interface 222 192.168.2.39 22 netmask 255.255.255.255
access-list OUTSIDE-IN remark Allow SSH
access-list OUTSIDE-IN permit tcp any interface outside eq 222
access-group OUTSIDE-IN in interface outside
Notice that the above example uses a nondefault port of TCP/222 towards the external/public network. You can naturally change it to the default TCP/22 or even something else. If you change the port from the above then also remember to change the port to the "access-list" configuration above.
You can insert this configuration from the same place as I mentioned above
The only change is that when you first go to Tools -> Command Line Interface you will then need to check the section Multiple Line which will let you attach multiple lines of configurations (the configurations above) and then press the button Send.
This should send the above configurations to the device and you should be able to access the internal device through the external/public network.
You can naturally change the ACL above if you want to allow traffic only from certain IP addresses and not from "any" source IP address.
- Jouni
12-02-2013 03:02 AM
Hi,
To my understanding there is no way to change the SSH port on the ASA. ASDM port is the only management connection which port can be changed freely.
Other option is naturally that you configure a VPN Client connection to the ASA and connect to the "inside" interface IP address through the VPN with SSH or Telnet. Naturally this involves more configurations (to implement) but would let you use the default SSH port for the Static PAT (Port Forward) configuration.
Otherwise it seems you would be stuck using ASDM only from the external network. Atleast to my understanding the SSH portforward will affect the SSH management connectivity of the ASA itself since you only have the one public IP address available.
Or do you actually have extra public IP addresses? I was looking at your external interfaces network mask which is /29 which would mean that you have a few public IP addresses free if you have the whole subnet to your own use. In that case you could configure Static NAT with another public IP address for this internal server and not affect the ASA SSH management at all.
- Jouni
11-30-2013 08:48 AM
More information is needed, please post the configuration
Value our effort and rate the assistance!
12-01-2013 08:02 PM
I get your point on the documentation what I need is the NAT rule configuration if not I don´t know how you are configuring it, or if there are other NAT rules affecting it, or or or or get my point we need the config.
If you cannot post any further detail please open a TAC case-
Value our effort and rate the assistance!
12-02-2013 02:28 AM
Sorry, how do I get my configuration?
I'm a total noob when it comes to this device.
12-02-2013 02:34 AM
Hi,
If you want the CLI format configuration from the ASDM then you should be able to get it like this
Tools - menu (at the top) -> Command Line Interface -> Type show run in the command field -> Press the Send -button -> Copy/Paste the output here
Remember to remove/mask any sensitive information
- Jouni
12-02-2013 02:39 AM
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password XXXXXXXXX encrypted
passwd XXXXXXXXXXXX encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.XXX.XXX.154 255.255.255.248
!
ftp mode passive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XX.XXX.XXX.153 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
http XXX.XXX.XXX.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.2.10-192.168.2.250 inside
dhcpd dns XX.XXX.XX.10 XX.XXX.XX.20 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum: ---
: end
12-02-2013 02:50 AM
Hi,
First of all, one thing to consider here is the fact that ASA also allows management connection through SSH though you dont seem to be using it. What I mean is that if you have any plans to manage the ASA through SSH from the external network then you would be better of changing this Static PAT (Port Forward) configurations public port to something else than the default TCP/22. This would leave you room to start using SSH at some point from the external network.
The Static PAT (Port Forward) configuration and the ACL that will allow the traffic could be accomplished in the following way
static (inside,outside) tcp interface 222 192.168.2.39 22 netmask 255.255.255.255
access-list OUTSIDE-IN remark Allow SSH
access-list OUTSIDE-IN permit tcp any interface outside eq 222
access-group OUTSIDE-IN in interface outside
Notice that the above example uses a nondefault port of TCP/222 towards the external/public network. You can naturally change it to the default TCP/22 or even something else. If you change the port from the above then also remember to change the port to the "access-list" configuration above.
You can insert this configuration from the same place as I mentioned above
The only change is that when you first go to Tools -> Command Line Interface you will then need to check the section Multiple Line which will let you attach multiple lines of configurations (the configurations above) and then press the button Send.
This should send the above configurations to the device and you should be able to access the internal device through the external/public network.
You can naturally change the ACL above if you want to allow traffic only from certain IP addresses and not from "any" source IP address.
- Jouni
12-02-2013 02:55 AM
Thank you, I will test this as soon as possible.
Is it possible to change the ssh port on the ASA to something else rather than 22 ?
I want to do this because I would like to have the default ssh port on my server in the internal network.
We use ssh on the ASA, its an outside firm that handles some configuration of it, so it's juste their ip range that is allowed to login into the ASA from the outside.
EDIT: Sorry, you've already pointed that out.
Thanks for the help
Much appreciated!
Best regards
12-02-2013 03:02 AM
Hi,
To my understanding there is no way to change the SSH port on the ASA. ASDM port is the only management connection which port can be changed freely.
Other option is naturally that you configure a VPN Client connection to the ASA and connect to the "inside" interface IP address through the VPN with SSH or Telnet. Naturally this involves more configurations (to implement) but would let you use the default SSH port for the Static PAT (Port Forward) configuration.
Otherwise it seems you would be stuck using ASDM only from the external network. Atleast to my understanding the SSH portforward will affect the SSH management connectivity of the ASA itself since you only have the one public IP address available.
Or do you actually have extra public IP addresses? I was looking at your external interfaces network mask which is /29 which would mean that you have a few public IP addresses free if you have the whole subnet to your own use. In that case you could configure Static NAT with another public IP address for this internal server and not affect the ASA SSH management at all.
- Jouni
12-02-2013 03:18 AM
I think we only have one ip-adress actually.
But I'll have to use a non standard port for my server then.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide