[c-nsp] SSH through ASA to switch inside
Brian Knight
ml at knight-networks.com
Sat Mar 3 15:52:38 EST 2018
You need object-based static NAT/PAT.
object network SW1
nat (OWNER-INSIDE,outside) static interface service tcp 22001 22001
etc.
Reference:
https://www.packet6.com/configuring-nat-for-a-public-server-using-same-outside-interface/
-Brian
On Mar 2, 2018, at 11:46 PM, Scott Miller <fordlove at gmail.com> wrote:
> Good day all, not sure if this is the right list for a question such as
> this, but my google searching has hit a dead end.
>
> What I'm try to accomplish is ssh from the outside world, through an
> ASA,
> to a switch for remote access to the switch for maintenance and such
>
> SSH is enable don the switch. and that works fin independently while
> inside.
> SSH is enabled on the ASA, locked down to a few source IP's, and that
> works
> fine independently.
>
> What I have configured in on the ASA is:
>
> Outside interface = outside
> Inside interface = OWNER-INSIDE
>
> !
> interface GigabitEthernet1/1
> nameif outside
> security-level 0
> ip address xx.xx.xx.xx 255.255.255.252
> !
> interface GigabitEthernet1/2
> description INSIDE OWNER UNRESTRICTED ACCESS
> nameif OWNER-INSIDE
> security-level 100
> ip address 10.255.255.253 255.255.255.248
> !
>
> object network SW1
> host 10.255.255.252
> object network SW2
> host 10.255.255.251
> object network SW3
> host 10.255.255.250
>
> object-group network SSH_CLIENTS
> network-object object SW1
> network-object object SW2
> network-object object SW3
>
> object network SW1
> nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001
> object network SW2
> nat (outside,OWNER-INSIDE) static interface service tcp ssh 22002
> object network SW3
> nat (outside,OWNER-INSIDE) static interface service tcp ssh 22003
>
> access-list ACL_Outside_to_Inside remark SSH Connections to specific
> network objects
> access-list ACL_Outside_to_Inside extended permit tcp any object-group
> SSH_CLIENTS eq ssh
> access-list ACL_Outside_to_Inside extended deny ip any any
>
> access-group ACL_Outside_to_Inside in interface outside
>
> access-list inside_access_out extended permit ip any any
>
> When I use the ASDM Packet Tracer to test, using the settings, it shows
> the
> packet traversing successfully. however, when I ssh to IP port 22001,
> it
> times out.
>
> Hit counters on the access-list do not increase (the did once, but not
> sure
> where that was in my "testing")
> access-list ACL_Outside_to_Inside line 2 extended permit tcp any
> object-group SSH_CLIENTS eq ssh (hitcnt=3) 0xa4d89883
> access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
> 10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547
> access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
> 10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f
> access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
> 10.255.255.250 eq ssh (hitcnt=0) 0x30601a85
>
> Hit counters on the nat policies do not increase.
> 1 (outside) to (OWNER-INSIDE) source static SW3 interface service tcp
> ssh
> 22003
> translate_hits = 0, untranslate_hits = 0
> 2 (outside) to (OWNER-INSIDE) source static SW2 interface service tcp
> ssh
> 22002
> translate_hits = 0, untranslate_hits = 0
> 3 (outside) to (OWNER-INSIDE) source static SW1 interface service tcp
> ssh
> 22001
> translate_hits = 0, untranslate_hits = 0
>
> Might be a bit over my head, trying to config the ASA for a new
> customer.
>
> Any ideas as to what I might be doing wrong? or need the entire
> config?
>
> Thanks,
> Scott
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list