Good day all, not sure if this is the right list for a question such as
this, but my google searching has hit a dead end.

What I'm try to accomplish is ssh from the outside world, through an ASA,
to a switch for remote access to the switch for maintenance and such

SSH is enable don the switch.  and that works fin independently while
inside.
SSH is enabled on the ASA, locked down to a few source IP's, and that works
fine independently.

What I have configured in on the ASA is:

Outside interface =  outside
Inside interface =  OWNER-INSIDE

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.252
!
interface GigabitEthernet1/2
 description INSIDE OWNER UNRESTRICTED ACCESS
 nameif OWNER-INSIDE
 security-level 100
 ip address 10.255.255.253 255.255.255.248
!

object network SW1
 host 10.255.255.252
object network SW2
 host 10.255.255.251
object network SW3
 host 10.255.255.250

object-group network SSH_CLIENTS
 network-object object SW1
 network-object object SW2
 network-object object SW3

object network SW1
 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001
object network SW2
 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22002
object network SW3
 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22003

access-list ACL_Outside_to_Inside remark SSH Connections to specific
network objects
access-list ACL_Outside_to_Inside extended permit tcp any object-group
SSH_CLIENTS eq ssh
access-list ACL_Outside_to_Inside extended deny ip any any

access-group ACL_Outside_to_Inside in interface outside

access-list inside_access_out extended permit ip any any

When I use the ASDM Packet Tracer to test, using the settings, it shows the
packet traversing successfully.  however, when I ssh to IP port 22001, it
times out.

Hit counters on the access-list do not increase (the did once, but not sure
where that was in my "testing")
access-list ACL_Outside_to_Inside line 2 extended permit tcp any
object-group SSH_CLIENTS eq ssh (hitcnt=3) 0xa4d89883
  access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547
  access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f
  access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
10.255.255.250 eq ssh (hitcnt=0) 0x30601a85

Hit counters on the nat policies do not increase.
1 (outside) to (OWNER-INSIDE) source static SW3 interface  service tcp ssh
22003
    translate_hits = 0, untranslate_hits = 0
2 (outside) to (OWNER-INSIDE) source static SW2 interface  service tcp ssh
22002
    translate_hits = 0, untranslate_hits = 0
3 (outside) to (OWNER-INSIDE) source static SW1 interface  service tcp ssh
22001
    translate_hits = 0, untranslate_hits = 0

Might be a bit over my head, trying to config the ASA for a new customer.

Any ideas as to what I might be doing wrong?  or need the entire config?

Thanks,
Scott
_______________________________________________
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Reply via email to