[c-nsp] SSH through ASA to switch inside

joshd jduffek at gmail.com
Sat Mar 3 17:54:54 EST 2018 

Why would you need that?  Just so long as the global/outside ports are
unique, it should be OK, shouldn't it?  Wouldn't the ASA complain about
overlapping NATs if it was actually a problem?


On Sat, Mar 3, 2018 at 2:52 PM, Brian Knight <ml at knight-networks.com> wrote:

> You need object-based static NAT/PAT.
>
> object network SW1
>   nat (OWNER-INSIDE,outside) static interface service tcp 22001 22001
>
> etc.
>
> Reference: https://www.packet6.com/configuring-nat-for-a-public-server-
> using-same-outside-interface/
>
> -Brian
>
>
>
> On Mar 2, 2018, at 11:46 PM, Scott Miller <fordlove at gmail.com> wrote:
>
> Good day all, not sure if this is the right list for a question such as
>> this, but my google searching has hit a dead end.
>>
>> What I'm try to accomplish is ssh from the outside world, through an ASA,
>> to a switch for remote access to the switch for maintenance and such
>>
>> SSH is enable don the switch.  and that works fin independently while
>> inside.
>> SSH is enabled on the ASA, locked down to a few source IP's, and that
>> works
>> fine independently.
>>
>> What I have configured in on the ASA is:
>>
>> Outside interface =  outside
>> Inside interface =  OWNER-INSIDE
>>
>> !
>> interface GigabitEthernet1/1
>> nameif outside
>> security-level 0
>> ip address xx.xx.xx.xx 255.255.255.252
>> !
>> interface GigabitEthernet1/2
>> description INSIDE OWNER UNRESTRICTED ACCESS
>> nameif OWNER-INSIDE
>> security-level 100
>> ip address 10.255.255.253 255.255.255.248
>> !
>>
>> object network SW1
>> host 10.255.255.252
>> object network SW2
>> host 10.255.255.251
>> object network SW3
>> host 10.255.255.250
>>
>> object-group network SSH_CLIENTS
>> network-object object SW1
>> network-object object SW2
>> network-object object SW3
>>
>> object network SW1
>> nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001
>> object network SW2
>> nat (outside,OWNER-INSIDE) static interface service tcp ssh 22002
>> object network SW3
>> nat (outside,OWNER-INSIDE) static interface service tcp ssh 22003
>>
>> access-list ACL_Outside_to_Inside remark SSH Connections to specific
>> network objects
>> access-list ACL_Outside_to_Inside extended permit tcp any object-group
>> SSH_CLIENTS eq ssh
>> access-list ACL_Outside_to_Inside extended deny ip any any
>>
>> access-group ACL_Outside_to_Inside in interface outside
>>
>> access-list inside_access_out extended permit ip any any
>>
>> When I use the ASDM Packet Tracer to test, using the settings, it shows
>> the
>> packet traversing successfully.  however, when I ssh to IP port 22001, it
>> times out.
>>
>> Hit counters on the access-list do not increase (the did once, but not
>> sure
>> where that was in my "testing")
>> access-list ACL_Outside_to_Inside line 2 extended permit tcp any
>> object-group SSH_CLIENTS eq ssh (hitcnt=3) 0xa4d89883
>> access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
>> 10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547
>> access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
>> 10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f
>> access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
>> 10.255.255.250 eq ssh (hitcnt=0) 0x30601a85
>>
>> Hit counters on the nat policies do not increase.
>> 1 (outside) to (OWNER-INSIDE) source static SW3 interface  service tcp ssh
>> 22003
>> translate_hits = 0, untranslate_hits = 0
>> 2 (outside) to (OWNER-INSIDE) source static SW2 interface  service tcp ssh
>> 22002
>> translate_hits = 0, untranslate_hits = 0
>> 3 (outside) to (OWNER-INSIDE) source static SW1 interface  service tcp ssh
>> 22001
>> translate_hits = 0, untranslate_hits = 0
>>
>> Might be a bit over my head, trying to config the ASA for a new customer.
>>
>> Any ideas as to what I might be doing wrong?  or need the entire config?
>>
>> Thanks,
>> Scott
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list