Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
951
Views
0
Helpful
3
Replies

ASA 5520 port forward not working

brent.cowing
Level 1
Level 1

‎05-23-2012 05:24 PM

I've configured port forwarding for SSH on a non standard port (8022) to be forwarded to an inside interface on port 22.  I've created my nat rule:

static (inside,outside)  tcp interface 8022 10.11.11.232 22 netmask 255.255.255.255

and I've created my access rule:

access-list outside_access_in line 9 extended permit tcp 0.0.0.0 0.0.0.0 interface outside eq 8022

I've done packet tracer and i've run wireshark, but not matter what, i don't see any packets getting to my inside host (10.11.11.232).  logs show:

Built inbound TCP connection 45801 for outside:xxx.xxx.xxx.xxx/63308 (xxx.xxx.xxx.xxx/63308) to inside:Ratin_Decoder/22 (xxx.xxx.xxx.xxx/8022

So i'm thinking that the nat rule and the access list are good, but that somehow there is a route that is preventing the packet from getting to my inside host.  Yet, i can ping my inside host when ssh'd into the asa.

So, i'm at a complete loss, can someone help???

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎05-24-2012 11:00 PM

Can you please share your ASA configuration so we can check if there could be other configuration that might prevent the access.

If you try to telnet on port 8022 from the outside, does that open the connection?

Also, I assume that you get a hitcount on your access-list line 9 when you try to SSH from the outside?

0 Helpful

brent.cowing
Level 1
Level 1
In response to Jennifer Halim

‎05-25-2012 04:11 PM

I think I've identified the issue.  After some more wiresharking, I was able to see that packets were infact getting to my internal host.  But nothing was getting back out.

I think this is due to a dual gateway setup I have.  The default gateway for my host is set up to go back out a different public IP than what it is coming in on.  If I manually set the default gateway on my host to be the same as the gateway my port forward is on, then it works.

Should my dual gateway setup work?  Or am I being less than smart thinking it should?

Thanks for the response.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to brent.cowing

‎05-25-2012 04:55 PM

Thanks for the update and yes, you have exactly identified the issue. ASA is expecting traffic of the same session to go in and out from the same interface, ie: internal interface. If it receives packet of existing connection on a different interface, it will drop the packet.

0 Helpful
Customers Also Viewed These Support Documents