Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Port forwarding

I have a newly installed 5505 ASA device - and I am not that familiar with it yet.  In fact, I only have a moderate level of experience in configuring routers at all.

We have an outside vendor who requires access to a phone device inside our network (ip using TCP on port 22.  When I try to configure, it seems to automatically translate port 22 to SSH service.

A) I cannot find anyting to indicate, but maybe I need to diable (?) SSH or change the default port for SSH?

B) I cannot find any clear steps to configure the port forwarding.  I assume I need to establish an ACE, then a NAT Rule.  Should that NAT include PAT?  (This is where my 22 keeps changing to SSH and will not save.)

Any help would be appreciated.  (Going slow for the novice would be appreciated even more.)

  • Remote Access
Everyone's tags (3)

Re: Port forwarding

Ssh is typically bound to tcp port 22.

Sent from Cisco Technical Support iPad App

Hall of Fame Super Silver

Port forwarding


You can enter numeric 22 in the access list or NAT or PAT configuration and the ASA will automatically convert that to SSH. That conversion does not cause problems in and of itself.

Here are some things to think about that may help you find a solution:

- for the vendor to access the phone device on an inside private address the ASA will need some type of static translation.

- if you just did a translation that any incoming TCP port 22 connection translates to the inside address that would probably allow the vendor to access the phone device. But it would prevent any other incoming SSH access (which might or might not be a problem depending on your circumstances).

- if you have some available public address on the ASA other than the IP on the outside interface you might be able to do a static translation so that the public interface translates to the inside private address. This may be the most simple solution (but does require an available address).

- if the vendor could make that access request use a different destination port (perhaps 2222) then you could do a translation on the ASA such that any incoming TCP 2222 gets translated to the inside IP address and port 22.