This topic is to discuss the following lesson:
Your scenario explains forwarding traffic to port 22 for SSH, but further down in your configuration example you are using port 25 for SMTP. Any reason for the change between the scenario and the example configuration??
That was a typo, I just changed port 25 to 22. Thanks for letting me know!
Thank you for the explanation.
I have a question.
In this tutorial, you are using PAT for sending traffic from Outside to DMZ. However, if I want to use PAT for sending traffic from DMZ to Outside, how should I do the configurations ?
Hmm why would you want to do this? We use PAT in this example so that someone on the Internet is able to connect to a public IP address on the outside so that we can reach our DMZ servers with private IP addresses.
Our DMZ servers can reach the Internet by using “regular” NAT.
Diagram needs to be updated to 18.104.22.168/24 for lan subnet.
I mean 192.168.1.0/24
Thanks, I just fixed the text so it matches the diagram.
Base on this configuration, it working with ASA 8.4 or later.
Can you show me if ASA 8.2 or older, how to configure ASA 8.2 or older?
It should be something like this:
static (DMZ,OUTSIDE) tcp <outside ip> <port> <inside ip> <port> netmask 255.255.255.255
Is there any reason given by Cisco as to why the order of operations was changed on the Asa 8.3 code?
The real ip’s in the acls and the post natt’d port numbers etc
Not that I know of, I tried looking it up but couldn’t find anything.
Hi Rene… For some reason when trying to telnet from my outside router to my http server I keep getting error message “Connection refused by remote host” I was able to successfully ssh into my ssh server. Also I am able to telnet from ssh server to http server so I know the configuration is correct any idea ?
Thanks in advance.
interface GigabitEthernet0 nameif DMZ security-level 50 ip address 10.1.1.254 255.255.255.0 ! interface GigabitEthernet1 nameif OUTSIDE security-level 0 ip address 22.214.171.124 255.255.255.0 ! object network WEB_SERVER host 10.1.1.1 object network SSH_SERVER host 10.1.1.2 access-list DMZ_SERVERS extended permit tcp any host 10.1.1.1 eq www access-list DMZ_SERVERS extended permit tcp any host 10.1.1.2 eq ssh ! object network WEB_SERVER nat (DMZ,OUTSIDE) static interface service tcp www www object network SSH_SERVER nat (DMZ,OUTSIDE) static interface service tcp ssh ssh access-group DMZ_SERVERS in interface OUTSIDE ! class-map icmp match default-inspection-traffic ! ! policy-map icmp_policy class icmp inspect icmp inspect http ! service-policy icmp_policy global
Your configuration is looking good to me. SSH from OUTSIDE to DMZ is no problem?
Is it possible it’s something else? perhaps no route or default gateway on the HTTP server pointing to your ASA?
Correct SSH from OUTSIDE TO DMZ is working fine… I configured my hhtp server (Router 2) to allow ssh with the following command
access-list DMZ_SERVERS extended permit tcp any host 10.1.1.1 eq ssh
Now I can remote in but by using the routers IP ex:(ssh -l Cisco 10.1.1.1) for some reason my ASA is no nating/port forwarding to my http server
ciscoasa# show xlate 2 in use, 2 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice TCP PAT from DMZ:10.1.1.1 80-80 to OUTSIDE:126.96.36.199 80-80 flags sr idle 0:05:12 timeout 0:00:00 TCP PAT from DMZ:10.1.1.2 22-22 to OUTSIDE:188.8.131.52 22-22 flags sr idle 0:09:33 timeout 0:00:00
ciscoasa# show nat Auto NAT Policies (Section 2) 1 (DMZ) to (OUTSIDE) source static WEB_SERVER interface service tcp www www translate_hits = 0, untranslate_hits = 23 2 (DMZ) to (OUTSIDE) source static SSH_SERVER interface service tcp ssh ssh translate_hits = 14, untranslate_hits = 6
not sure why!!!
Your ASA configuration does look ok and seems to translate HTTP traffic. If you enable a debug IP packet (with an access-list) or debug ip http can you see anything?
Using packet tracer on the ASA also helps to check if you have any errors.
I do the lab again and set the default route to the firewall.
I can check port 80 on the Web Server by you command in this example “telnet 192.168.2.254 80” but I can’t use “ssh -l cisco -p 10022 192.168.2.254” from R2 to outside ip of firewall.
I dont know why is it?
I think it should be nat static to SSH server 192.168.3.3
Please help me resolve this!
Just a couple of things to check…
- Can you SSH from the webserver into the SSH server? that proves SSH is working.
- Do you have a default route on the SSH server towards the ASA?
- Do you see a matching entry in show xlate?
Not sure I am correct,but this should allow telnet from outside
telnet 0.0.0.0 0.0.0.0 outside
This might be correct
telnet 0.0.0.0 0.0.0.0 outside