Good day all, not sure if this is the right list for a question such as this, but my google searching has hit a dead end.
What I'm try to accomplish is ssh from the outside world, through an ASA, to a switch for remote access to the switch for maintenance and such SSH is enable don the switch. and that works fin independently while inside. SSH is enabled on the ASA, locked down to a few source IP's, and that works fine independently. What I have configured in on the ASA is: Outside interface = outside Inside interface = OWNER-INSIDE ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address xx.xx.xx.xx 255.255.255.252 ! interface GigabitEthernet1/2 description INSIDE OWNER UNRESTRICTED ACCESS nameif OWNER-INSIDE security-level 100 ip address 10.255.255.253 255.255.255.248 ! object network SW1 host 10.255.255.252 object network SW2 host 10.255.255.251 object network SW3 host 10.255.255.250 object-group network SSH_CLIENTS network-object object SW1 network-object object SW2 network-object object SW3 object network SW1 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001 object network SW2 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22002 object network SW3 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22003 access-list ACL_Outside_to_Inside remark SSH Connections to specific network objects access-list ACL_Outside_to_Inside extended permit tcp any object-group SSH_CLIENTS eq ssh access-list ACL_Outside_to_Inside extended deny ip any any access-group ACL_Outside_to_Inside in interface outside access-list inside_access_out extended permit ip any any When I use the ASDM Packet Tracer to test, using the settings, it shows the packet traversing successfully. however, when I ssh to IP port 22001, it times out. Hit counters on the access-list do not increase (the did once, but not sure where that was in my "testing") access-list ACL_Outside_to_Inside line 2 extended permit tcp any object-group SSH_CLIENTS eq ssh (hitcnt=3) 0xa4d89883 access-list ACL_Outside_to_Inside line 2 extended permit tcp any host 10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547 access-list ACL_Outside_to_Inside line 2 extended permit tcp any host 10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f access-list ACL_Outside_to_Inside line 2 extended permit tcp any host 10.255.255.250 eq ssh (hitcnt=0) 0x30601a85 Hit counters on the nat policies do not increase. 1 (outside) to (OWNER-INSIDE) source static SW3 interface service tcp ssh 22003 translate_hits = 0, untranslate_hits = 0 2 (outside) to (OWNER-INSIDE) source static SW2 interface service tcp ssh 22002 translate_hits = 0, untranslate_hits = 0 3 (outside) to (OWNER-INSIDE) source static SW1 interface service tcp ssh 22001 translate_hits = 0, untranslate_hits = 0 Might be a bit over my head, trying to config the ASA for a new customer. Any ideas as to what I might be doing wrong? or need the entire config? Thanks, Scott _______________________________________________ cisco-nsp mailing list email@example.com https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/