Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Configure ASA \ PIX firewall to allow ssh to a specific device

Posted on 2008-06-13
Medium Priority
Last Modified: 2013-11-16
How  do I allow or forward ssh connections to a specific device with the ASA. I have the the following setup. I know how to forward the incomming SSH traffic on the ISA but need help with the ASA. I would like to forward any SSH connections from the external ip to the internal server I need the ASA to get he traffic to the ISA and the ISA will forward to the server. Thanks in advance

*Internet - USER*
*ISA Firewall *
*Server *
Question by:ctna
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 16

Expert Comment

ID: 21783361
From the command line:

Create the static NAT rule:
static (inside,outside) tcp ssh ssh netmask

Create an ACL to allow access:
access-list outside_access_in (you may need to check the name of the currently used ACL and use that instead - do a show run and see what access-group the outside interface is using) extended permit tcp host (replace with "host x.x.x.x" with "any" if you want anyone to be able to access it) host eq ssh

In summary:
static (inside,outside) tcp ssh ssh netmask
access-list outside_access_in extended permit tcp host host eq ssh


Author Comment

ID: 21792862
If I have another IP do I Add another access list for that IP?

Author Comment

ID: 21792902
Also, if you wanted to direct all traffic to the interface would I add this NAT rule instead? Just want to make sure I understand..

static (inside,outside) netmask
LVL 16

Accepted Solution

btassure earned 2000 total points
ID: 21795459
Yes, that rule would NAT ALL traffic to that inside address, you would still need to set up access lists for that as well.

If you wanted another IP to be able to SSH in you have to add it to the ACL you already created, not create a new one.

Author Closing Comment

ID: 31467006
thanks for the help

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question