diff --git a/roles/basessh/templates/sshd_config.j2 b/roles/basessh/templates/sshd_config.j2
index bec3249904..76556a6f1f 100644
--- a/roles/basessh/templates/sshd_config.j2
+++ b/roles/basessh/templates/sshd_config.j2
@@ -40,7 +40,12 @@ UsePAM yes
 AllowAgentForwarding no
 X11Forwarding no
 PermitTunnel no
+{% if not ansible_hostname.startswith(('bastion')) %}
+# This is a bastion host, we need tcp forwarding here.
+AllowTcpForwarding yes
+{% else %}
 AllowTcpForwarding no
+{% endif %}
 
 # Accept locale-related environment
 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES