I have an ASA (A) with a set of public IPs (A1..A6). And I have another server S with a public IP (S1) .
I want all traffic to A2:22 NATed (forwarded) to S1:22. (SSH is just an example here)
If possible I want the traffic to not even touch the inside interface.
(How) can I do that?
I tried:
access-list outside_access_in line 26 extended permit tcp any host S1 eq ssh
access-list outside_access_in line 26 extended permit tcp any host S1 eq ssh
static (outside,outside) A2 S1 netmask 255.255.255.255 tcp 0 0 udp 0
But that, according to the packet tracer, always dies on the implicit incoming drop rule on the outside interface. I even tried to satisfy it by using a "drop all your pants" any:any rule, with no luck.
I am aware that this is not enough to really make it work. But can it actually work?
Best Answer
You need to make sure that intra interface traffic is allowed.
If it isn't, then issue the following command:
It will allow traffic to arrive and leave the firewall on the same interface (hairpining).
Also, your static nat shouldn't be necessary since the traffic won't go accross any interfaces.