12-01-2011 01:34 PM - edited 03-11-2019 02:58 PM
Hi,
I have a firewall which is conntect to a Cisco 870 router.
The router only allows one ip address to ssh into and it which is 7.7.7.7 but the interface which is connected to the router is on the firewall is a 2.2.2.2 and the router interface is a 2.2.2.1.
I can ping the router from the inside of my firewall, but I can't ssh into it at is has a access list which will only allow ssh from the ip address 7.7.7.7.
Would it be possible to do a static NAT which can translate the 2.2.2.2 to a 7.7.7.7 when I ssh into the router when coming from the inside?
Thanks
12-01-2011 01:50 PM
Hello John,
I would recoomend to instead use a host on the inside or dmz ( if you have one) interface, natted into 7.7.7.7, then get access into the router and allow ssh communications from 2.2.2.2 as well.
Hope this helps.
Julio
12-01-2011 01:58 PM
Hi,
Thanks I can use a host with the ip address of 192.168.10.1 which is the inside of my LAN.
The problem I have is i'm not sure my cmd is correct:
static(inside,outside) 7.7.7.7 eq 22 192.168.10.1 eq 22 netmask 255.255.255.255
Would this be correct, I ONLY want the ssh traffic to be applied in the static nat hence the port 25?
Thanks
12-01-2011 02:27 PM
Hello,
The router its on the outside of your network right ?Inside-ASA-----Outside--Router---Internet
In fact you do not need a static, because static is a permanent biderectional translation and in this case all you need is to nat the internal host to a specific IP address when it reaches the Router on the outside so lest use a Global Policy Nat.
So lets make this works:
access-list TEST permit tcp host 192.168.10.1 host 2.2.2.1 eq 22
Nat (inside) 17 access-list TEST
Global (outside) 17 7.7.7.7
Please rate helpful posts,
Regards,
Julio
12-01-2011 02:31 PM
Thats correct,
I'm not able to use a global nat as its already in use, I guess a static nat was take pressedance over global nat.
I also have a failover interface which is currently being used.
Is there a way where i can use a static nat?
Thanks
12-01-2011 02:47 PM
Hello John,
Of course you can use the static nat in this situation, that was just an advise, Also remember that it does not matter if you are using a globat nat already, the more specific nat entry of the globals will take precedence , in our case this one will take it.
but do not worry lets use a static if you want.but that will make the host to use that ip address on all of his connections.
NOTE:(Port-forwarding is just for inbound connections)
access-list TEST permit tcp host 192.168.10.1 host 2.2.2.1 eq 22
static (inside,outside) 7.7.7.7 access-list TEST
Please rate helpful posts.
Regards,
Julio
12-01-2011 03:07 PM
Hi Julio,
What this static nat be applied for all the connection of the host?
I only want the nat to be applied when i ssh into the 7.7.7.7 address?
Thanks
12-01-2011 03:17 PM
Hello John,
Can you take a look at the ACL, there is your answer.
Only for the destination 2.2.2.2 on port 22 (Static Policy Nat)
Regards,
Julio
12-01-2011 03:18 PM
Thanks Julio,
I will try and post back.
12-01-2011 03:24 PM
Hello John
Sure, I will be waiting.
Regards,
Julio
12-01-2011 03:31 PM
Sorry I meant, I will try it in the morning and let you know 2morr night.
Quick question, How do you learn so much, I want to be like you and be very good and firewall, can you help me?
12-01-2011 03:37 PM
Hello John,
Thanks for that comments, its all about love what you do, research on every topic and going for certifications that will improve your performance as a Security Tech.
See ya tomorrow.
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide