Cisco ASA – How to Expose SFTP Server to External Interface

cisco-asa

We recently upgraded from "prosumer" equipment to Cisco ASA routers, and I am trying to learn some basic administration of the devices. The reason this will sound like a newbie question is … well … because it is.

I have configured a nat-ssh service for port 22, following the pattern for nat-http and nat-https that were pre-installed by our vendor.

I had no issues configuring the prior equipment to route FTP requests to my FTP server, but the Cisco ASA is a little more complex to configure. Where can I find step-by-step instructions for configuring the Cisco ASA to route SFTP traffic from the internet to an internal server in ASDM?

The Packet Trace test fails because the NAT rule is not catching the packets, and they are falling through to the final "deny all" rule that is configured.

Thank you in advance.

ACL Rule definition:

Packet Trace Results:

Best Answer

You should configure the global IP as destenation in the ACL not the private IP and you can check the below link for more information: Configure ASA Port Forwarding with NAT

Related Solutions

Cisco – ASA failed to locate egress interface and Nat? issues

On your identity NAT (nonat) add "route-lookup" at the end of the command to bypass the behavior of using the XLATE for the egress interface.

Vlan – ASA 5505 Assign Outbound IP to VLAN

This is an old question, but I recently ran into this same issue, and after some trial and error, I was able to come up with a solution. The following applies to ASA Version 9.1. I have two VLANs on our network: one for PCs, and one for VoIP. I wanted the VoIP VLAN to use its own outside address, separate from the outside address used by the PCs. Here's what the configuration ended up looking like (IP addresses have been obfuscated slightly). These are only the pertinent parts of the configuration, not a complete dump:

: ASA Version 9.1(2) 

interface Ethernet0/0
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/6
 switchport access vlan 50
!
interface Vlan1
  nameif outside
  security-level 0
  ip address 65.65.65.10 255.255.255.192 
!
interface Vlan2
 nameif net-inside
 security-level 100
 ip address 10.1.10.1 255.255.248.0 
!
interface Vlan50
 nameif net-voip
 security-level 100
 ip address 172.16.0.1 255.255.255.0 
!
object network net-voip
 subnet 172.16.0.0 255.255.255.0
 nat (net-voip,outside) dynamic 65.65.65.20
!
nat (net-inside,outside) after-auto source dynamic any interface
!
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd address 172.16.0.100-172.16.0.127 net-voip
dhcpd dns 8.8.8.8 interface net-voip
dhcpd enable net-voip

I also included the part of my configuration which sets up DHCP on the VoIP VLAN for the phones. One snag I ran into (which should've been obvious in retrospect), the net-voip VLAN needs to have a security level higher than the outside VLAN, otherwise it won't be allowed out.

Best Answer

Related Solutions

Cisco – ASA failed to locate egress interface and Nat? issues

Vlan – ASA 5505 Assign Outbound IP to VLAN

Related Topic