Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
343
Views
0
Helpful
2
Replies

Not getting my inside server over ssh from outside network

Shuvanjan Krishna Bhattacharya
Level 1
Level 1

‎07-08-2010 06:45 AM - last edited on ‎03-25-2019 03:29 PM by Community Manager

hi,

I am newb in security. i am facing a problem regarding ASA 5505.The problem is from the outside zone I am not able to ssh into one of my inside server.

here is my network

                                                                     |

                                                  Outside        |

wan<---------------router<--------------------------------ASA<-------------------server

                                                                     |          Inside

                                                                     |

Roter is doing the NAT operation.I have configured my router as if any request come of ssh it will forward to the ASA's outside interface.When the request reach to the ASA it will forward the request to the server 10.49.49.2.

But the problem is I am not able ssh to the server.

Here is my running config attached.

Help me

Labels:
68891-my_net.txt.zip
0 Helpful
2 Replies 2

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎07-08-2010 07:28 AM

Hello,

I see two issues. One, on the firewall, you have already configured SSH on the outside interface and you are trying to use the same port for SSH to inside server. There is a conflict. Second, I am not sure how you are translating the IP on the router.Also, I see that the access-lists are incorrect.

access-list outside_int_in extended permit icmp any host 10.49.49.2
access-list outside_int_in extended permit tcp interface outside eq ssh host 10.49.49.2

So, please try the following:

On the router:

ip route 10.49.49.0 255.255.255.0 10.10.1.1

ip nat source static 10.49.49.2 extendable

On the firewall:

static (inside,outside) 10.49.49.2 10.49.49.2 netmask 255.255.255.255

access-list outside_int_in extended permit icmp any host 10.49.49.2

no access-list outside_int_in extended permit tcp interface outside eq ssh host 10.49.49.2
access-list outside_int_in extended permit tcp any host 10.49.49.2 eq ssh

If you do not want the router to know about 10.49.49.0 subnet, then do the following:

On the firewall:

static (inside,outside) 10.10.1.x 10.49.49.2 netmask 255.255.255.255 (where x is an unused IP address)

no access-list outside_int_in extended permit icmp any host 10.49.49.2

no access-list outside_int_in extended permit tcp interface outside eq ssh host 10.49.49.2

access-list outside_int_in extended permit icmp any host 10.10.1.x
access-list outside_int_in extended permit tcp any host 10.10.1.x eq ssh

On the router:

ip nat source static 10.10.1.x extendable

This will ensure that the router is doing translation for the original IP of the server and it has a route to the server. Then the firewall will allow the SSH traffic to the server through it.

Hope this helps.

Regards,

NT

0 Helpful

Shuvanjan Krishna Bhattacharya
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-11-2010 02:17 AM

Hi,

Thanks for the help.I tested it today and it works.

Thanks & Regards

Shuvanjan Krishna Bhattacharya

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card