Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ssh from internal to a DMZ host

Hi experts,

I need your help with an ACL because I am not very familiar with ASA 5520 yet. I'm still studing.

I have been able to allow the OUTSIDE world to connect via SSH to the intermal host 172.17.2.50 on my DMZ network. I've created a NAT rule and an ACL as written on the configuration below.

Now I need the INTERNAL network to ssh 172.17.2.50 but ASA stops me with the following error:

"%ASA-3-305006: {outbound static|identity|portmap|regular) translation

creation failed for protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dest_address/dest_port [(idfw_user)]"

Can you please help me figure out a solution?

Here the configuration (I've removed the standard part):

========================================================================

interface GigabitEthernet0/0

nameif OUTSIDE

security-level 0

ip address ************ ************

!

interface GigabitEthernet0/1

shutdown

nameif INTERNAL

security-level 100

no ip address

!

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 172.18.2.1 255.255.255.0

!

object-group service DM_INLINE_TCP_1 tcp

port-object eq ssh

access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE object-group DM_INLINE_TCP_1

access-list DMZ_access_in extended permit tcp any interface INTERNAL eq ssh

global (OUTSIDE) 1 interface

global (INTERNAL) 1 interface

nat (INTERNAL) 1 172.18.1.0 255.255.255.0

nat (DMZ) 1 172.18.2.0 255.255.255.0

static (DMZ,OUTSIDE) tcp interface ssh 172.17.2.50 ssh netmask 255.255.255.255

access-group OUTSIDE_access_in in interface OUTSIDE

access-group DMZ_access_in in interface DMZ

========================================================================

Thanks,

Dario

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

ssh from internal to a DMZ host

Here is the configuration:

static (INTERNAL,DMZ) 172.18.1.0 172.18.1.0 netmask 255.255.255.0

then "clear xlate" to clear any existing translation before you test access.

Hope that helps.

2 REPLIES
Super Bronze

ssh from internal to a DMZ host

Here is the configuration:

static (INTERNAL,DMZ) 172.18.1.0 172.18.1.0 netmask 255.255.255.0

then "clear xlate" to clear any existing translation before you test access.

Hope that helps.

ssh from internal to a DMZ host

Thanks a lot Jennifer. It worked perfectly! :-)

This support is just awesome.

449
Views
0
Helpful
2
Replies