Solved

Configure ASA \ PIX firewall to allow ssh to a specific device

Posted on 2008-06-13
5
1,440 Views
Last Modified: 2013-11-16
How  do I allow or forward ssh connections to a specific device with the ASA. I have the the following setup. I know how to forward the incomming SSH traffic on the ISA but need help with the ASA. I would like to forward any SSH connections from the external ip 70.45.3.12 to the internal server 192.168.0.25. I need the ASA to get he traffic to the ISA and the ISA will forward to the server. Thanks in advance

*Internet - USER*
70.45.3.12
        |
        |
15.48.16.106
*CISCO ASA*
172.16.14.2
         |
         |  
172.16.14.1
*ISA Firewall *
192.168.0.10
        |
        |
192.168.0.25
*Server *
0
Comment
Question by:ctna
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 16

Expert Comment

by:btassure
ID: 21783361
From the command line:

Create the static NAT rule:
static (inside,outside) tcp 15.48.16.106 ssh 172.16.14.1 ssh netmask 255.255.255.255

Create an ACL to allow access:
access-list outside_access_in (you may need to check the name of the currently used ACL and use that instead - do a show run and see what access-group the outside interface is using) extended permit tcp host 70.45.3.12 (replace with "host x.x.x.x" with "any" if you want anyone to be able to access it) host 15.48.16.106 eq ssh

In summary:
static (inside,outside) tcp 15.48.16.106 ssh 172.16.14.1 ssh netmask 255.255.255.255
access-list outside_access_in extended permit tcp host 70.45.3.12 host 15.48.16.106 eq ssh


0
 
LVL 1

Author Comment

by:ctna
ID: 21792862
If I have another IP do I Add another access list for that IP?
0
 
LVL 1

Author Comment

by:ctna
ID: 21792902
Also, if you wanted to direct all traffic to the 172.16.14.1 interface would I add this NAT rule instead? Just want to make sure I understand..

static (inside,outside) 15.48.16.106 172.16.14.1 netmask 255.255.255.255
0
 
LVL 16

Accepted Solution

by:
btassure earned 500 total points
ID: 21795459
Yes, that rule would NAT ALL traffic to that inside address, you would still need to set up access lists for that as well.

If you wanted another IP to be able to SSH in you have to add it to the ACL you already created, not create a new one.
0
 
LVL 1

Author Closing Comment

by:ctna
ID: 31467006
thanks for the help
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Setting up a VPN 60 207
Windows NLB support on Cisco Nexus 9000 1 103
Opening Ports for Specific LAN IP Address on Juniper SRX240 3 54
Install module in switch 4507 2 34
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question