You need object-based static NAT/PAT.
object network SW1
nat (OWNER-INSIDE,outside) static interface service tcp 22001 22001
etc.
Reference:
https://www.packet6.com/configuring-nat-for-a-public-server-using-same-outside-interface/
-Brian
On Mar 2, 2018, at 11:46 PM, Scott Miller <fordl...@gmail.com> wrote:
Good day all, not sure if this is the right list for a question such as
this, but my google searching has hit a dead end.
What I'm try to accomplish is ssh from the outside world, through an
ASA,
to a switch for remote access to the switch for maintenance and such
SSH is enable don the switch. and that works fin independently while
inside.
SSH is enabled on the ASA, locked down to a few source IP's, and that
works
fine independently.
What I have configured in on the ASA is:
Outside interface = outside
Inside interface = OWNER-INSIDE
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252
!
interface GigabitEthernet1/2
description INSIDE OWNER UNRESTRICTED ACCESS
nameif OWNER-INSIDE
security-level 100
ip address 10.255.255.253 255.255.255.248
!
object network SW1
host 10.255.255.252
object network SW2
host 10.255.255.251
object network SW3
host 10.255.255.250
object-group network SSH_CLIENTS
network-object object SW1
network-object object SW2
network-object object SW3
object network SW1
nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001
object network SW2
nat (outside,OWNER-INSIDE) static interface service tcp ssh 22002
object network SW3
nat (outside,OWNER-INSIDE) static interface service tcp ssh 22003
access-list ACL_Outside_to_Inside remark SSH Connections to specific
network objects
access-list ACL_Outside_to_Inside extended permit tcp any object-group
SSH_CLIENTS eq ssh
access-list ACL_Outside_to_Inside extended deny ip any any
access-group ACL_Outside_to_Inside in interface outside
access-list inside_access_out extended permit ip any any
When I use the ASDM Packet Tracer to test, using the settings, it shows
the
packet traversing successfully. however, when I ssh to IP port 22001,
it
times out.
Hit counters on the access-list do not increase (the did once, but not
sure
where that was in my "testing")
access-list ACL_Outside_to_Inside line 2 extended permit tcp any
object-group SSH_CLIENTS eq ssh (hitcnt=3) 0xa4d89883
access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547
access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f
access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
10.255.255.250 eq ssh (hitcnt=0) 0x30601a85
Hit counters on the nat policies do not increase.
1 (outside) to (OWNER-INSIDE) source static SW3 interface service tcp
ssh
22003
translate_hits = 0, untranslate_hits = 0
2 (outside) to (OWNER-INSIDE) source static SW2 interface service tcp
ssh
22002
translate_hits = 0, untranslate_hits = 0
3 (outside) to (OWNER-INSIDE) source static SW1 interface service tcp
ssh
22001
translate_hits = 0, untranslate_hits = 0
Might be a bit over my head, trying to config the ASA for a new
customer.
Any ideas as to what I might be doing wrong? or need the entire
config?
Thanks,
Scott
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
