Avatar of AITP
AITP
 asked on

Cisco ASA 5505 NAT problem

We have problem with a Cisco ASA 5505 and NAT translation.
Very basic config with one (1) public static IP-address and a local LAN /24.

The problem is to redirect port SSH, tcp/22 from Internet (with same as firewall outside IP-address) to an internal server with IP-address 192.168.1.2.

This is our config as far as my knowledge should work, but it don't.


ASA Version 8.3(1)
!
hostname fw1
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.2.3.4 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network wc1-ssh
 host 192.168.1.2
access-list inbound extended permit tcp any object wc1-ssh eq ssh
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
!
object network obj_any
 nat (inside,outside) dynamic interface
object network wc1-ssh
 nat (inside,outside) static interface service tcp ssh ssh
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.51-192.168.1.250 inside
dhcpd dns 1.2.3.6 1.2.3.7 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxx
: end
Cisco

Avatar of undefined
Last Comment
Ernie Beek

8/22/2022 - Mon
Ernie Beek

Could you try replacing:
access-list inbound extended permit tcp any object wc1-ssh eq ssh
with
access-list inbound extended permit tcp any host 192.168.1.2 eq ssh
AITP

ASKER
Thanx but same result.
Ernie Beek

Mm.

When looking at the (asdm) logs, does anything show when you try to connect?
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
fgasimzade

Everything looks good to me, are you sure your 192.168.1.2 is listening on ssh?
AITP

ASKER
From log:
"TCP access denied by ACL from x.x.x.x/26087 to outside:1.2.3.4/22"

SSH works on internal network from a PC.
fgasimzade

Can you post the output of the packet tracer?

packet-tracer input outside tcp 1.1.1.1 ssh 192.168.1.2 ssh detailed
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
AITP

ASKER
Result of the command: "packet-tracer input outside tcp 1.1.1.1 ssh 192.168.1.2 ssh detailed"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inbound in interface outside
access-list inbound extended permit tcp any object wc1-ssh eq ssh
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc978bb58, priority=13, domain=permit, deny=false
      hits=0, user_data=0xc7d813d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
      src ip/id=0.0.0.0, mask=0.0.0.0, port=0
      dst ip/id=192.168.1.2, mask=255.255.255.255, port=22, dscp=0x0
      input_ifc=outside, output_ifc=any

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc9d91998, priority=0, domain=inspect-ip-options, deny=true
      hits=25194, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
      src ip/id=0.0.0.0, mask=0.0.0.0, port=0
      dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
      input_ifc=outside, output_ifc=any

Phase: 4
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xc9d9a940, priority=6, domain=nat-reverse, deny=false
      hits=4, user_data=0xc9d99c70, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
      src ip/id=0.0.0.0, mask=0.0.0.0, port=0
      dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
      input_ifc=outside, output_ifc=inside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

fgasimzade

Hm, I am not that good at 8.3 NAT, have never worked with it, however you can just try using a different outside ip address (if you have one) for static NAT

object network wc1-ssh
 nat (inside,outside) static 1.2.3.5 service tcp ssh ssh  
AITP

ASKER
Don't have extra IP from our ISP, sorry.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER CERTIFIED SOLUTION
Ernie Beek

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
AITP

ASKER
All clients on local network must be able to access Internet.
Will they if I remote the command as you suggest?
"nat (inside,outside) source dynamic any interface"

I'm also "off-site" (connected through Teamviewer outgoing connection) right know so I can't test this until tomorrow if my connection will go down. =)
Ernie Beek

You should be safe, there still is:
object network obj_any
 nat (inside,outside) dynamic interface


You can always first issue the following:

reload in 5

This will cause the firewall to reload in 5 minutes. So if you don't save the configuration and loose connectivity you should be able to connect again after the reload.
AITP

ASKER
That did the trick =)
Thanx a lot!
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Ernie Beek

You're welcome :)

Thx for the points.