I have a newly installed 5505 ASA device - and I am not that familiar with it yet. In fact, I only have a moderate level of experience in configuring routers at all.
We have an outside vendor who requires access to a phone device inside our network (ip 192.168.1.247) using TCP on port 22. When I try to configure, it seems to automatically translate port 22 to SSH service.
A) I cannot find anyting to indicate, but maybe I need to diable (?) SSH or change the default port for SSH?
B) I cannot find any clear steps to configure the port forwarding. I assume I need to establish an ACE, then a NAT Rule. Should that NAT include PAT? (This is where my 22 keeps changing to SSH and will not save.)
Any help would be appreciated. (Going slow for the novice would be appreciated even more.)
You can enter numeric 22 in the access list or NAT or PAT configuration and the ASA will automatically convert that to SSH. That conversion does not cause problems in and of itself.
Here are some things to think about that may help you find a solution:
- for the vendor to access the phone device on an inside private address the ASA will need some type of static translation.
- if you just did a translation that any incoming TCP port 22 connection translates to the inside address that would probably allow the vendor to access the phone device. But it would prevent any other incoming SSH access (which might or might not be a problem depending on your circumstances).
- if you have some available public address on the ASA other than the IP on the outside interface you might be able to do a static translation so that the public interface translates to the inside private address. This may be the most simple solution (but does require an available address).
- if the vendor could make that access request use a different destination port (perhaps 2222) then you could do a translation on the ASA such that any incoming TCP 2222 gets translated to the inside IP address and port 22.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...