I have a firewall which is conntect to a Cisco 870 router.
The router only allows one ip address to ssh into and it which is 22.214.171.124 but the interface which is connected to the router is on the firewall is a 126.96.36.199 and the router interface is a 188.8.131.52.
I can ping the router from the inside of my firewall, but I can't ssh into it at is has a access list which will only allow ssh from the ip address 184.108.40.206.
Would it be possible to do a static NAT which can translate the 220.127.116.11 to a 18.104.22.168 when I ssh into the router when coming from the inside?
I would recoomend to instead use a host on the inside or dmz ( if you have one) interface, natted into 22.214.171.124, then get access into the router and allow ssh communications from 126.96.36.199 as well.
Hope this helps.
Thanks I can use a host with the ip address of 192.168.10.1 which is the inside of my LAN.
The problem I have is i'm not sure my cmd is correct:
static(inside,outside) 188.8.131.52 eq 22 192.168.10.1 eq 22 netmask 255.255.255.255
Would this be correct, I ONLY want the ssh traffic to be applied in the static nat hence the port 25?
The router its on the outside of your network right ?Inside-ASA-----Outside--Router---Internet
In fact you do not need a static, because static is a permanent biderectional translation and in this case all you need is to nat the internal host to a specific IP address when it reaches the Router on the outside so lest use a Global Policy Nat.
So lets make this works:
access-list TEST permit tcp host 192.168.10.1 host 184.108.40.206 eq 22
Nat (inside) 17 access-list TEST
Global (outside) 17 220.127.116.11
Please rate helpful posts,
I'm not able to use a global nat as its already in use, I guess a static nat was take pressedance over global nat.
I also have a failover interface which is currently being used.
Is there a way where i can use a static nat?
Of course you can use the static nat in this situation, that was just an advise, Also remember that it does not matter if you are using a globat nat already, the more specific nat entry of the globals will take precedence , in our case this one will take it.
but do not worry lets use a static if you want.but that will make the host to use that ip address on all of his connections.
NOTE:(Port-forwarding is just for inbound connections)
static (inside,outside) 18.104.22.168 access-list TEST
Please rate helpful posts.
What this static nat be applied for all the connection of the host?
I only want the nat to be applied when i ssh into the 22.214.171.124 address?
Can you take a look at the ACL, there is your answer.
Only for the destination 126.96.36.199 on port 22 (Static Policy Nat)
Sure, I will be waiting.
Sorry I meant, I will try it in the morning and let you know 2morr night.
Quick question, How do you learn so much, I want to be like you and be very good and firewall, can you help me?
Thanks for that comments, its all about love what you do, research on every topic and going for certifications that will improve your performance as a Security Tech.
See ya tomorrow.