Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: ASA 5505 and NAT rule

ASA 5505 and NAT rule 5 years 10 months ago #35814

  • AndyIT
  • AndyIT's Avatar
  • Offline
  • New Member
  • Posts: 1
  • Karma: 0
I have an ASA 5505 and I need to open up some ports to an host. I started with port 22 (SSH) but without success. Can anyone help out with the commands to do this? Here's my running-config.

: Saved
ASA Version 8.3(1)
hostname flufirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address 85.39.XXX.XXX
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object network obj_any
object network inside-network
object network inside-net
object network Webserver
access-list OUTSIDE-IN extended permit tcp any host eq ssh
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
object network inside-net
nat (inside,outside) dynamic interface
object network Webserver
nat (inside,outside) static interface service tcp ssh ssh
access-group OUTSIDE-IN in interface outside
route outside 85.39.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd dns interface inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
: end
no asdm history enable
The administrator has disabled public write access.

Re: ASA 5505 and NAT rule 5 years 10 months ago #35819

  • r0nni3
  • r0nni3's Avatar
  • Offline
  • Distinguished Member
  • Posts: 107
  • Karma: 0
sorry i dont have time to go through the whole config.
but this video explains how NAT works in 8.3 really well
Currently working as Cisco Engineer at Neon-Networking.

CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
The administrator has disabled public write access.

Re: ASA 5505 and NAT rule 5 years 10 months ago #35827

  • vince77
  • vince77's Avatar
  • Offline
  • New Member
  • Posts: 6
  • Karma: 0
It looks ok. Maybe remove the ssh timeout value in case it thinks you are trying to ssh into the asa.

do a sh xlate to see if it adds the PAT to the required host.

You can also try to use this:
access-list OUTSIDE-IN extended permit tcp any object Webserver eq ssh

If that doesn't work, check if your software antivirus/firewall on your host is blocking.
The administrator has disabled public write access.
Time to create page: 0.080 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup