[c-nsp] SSH through ASA to switch inside
Scott Miller
fordlove at gmail.com
Tue Mar 6 15:38:10 EST 2018
Just to update, I went the VPN route, worked great. Thank you all.
On Fri, Mar 2, 2018 at 10:54 PM, Nick Cutting <ncutting at edgetg.com> wrote:
> This only works through a VPN, and only with "management access inside"
> enabled on the inside interface.
>
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Scott Miller
> Sent: Saturday, March 3, 2018 12:47 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] SSH through ASA to switch inside
>
> This message originates from outside of your organisation.
>
> Good day all, not sure if this is the right list for a question such as
> this, but my google searching has hit a dead end.
>
> What I'm try to accomplish is ssh from the outside world, through an ASA,
> to a switch for remote access to the switch for maintenance and such
>
> SSH is enable don the switch. and that works fin independently while
> inside.
> SSH is enabled on the ASA, locked down to a few source IP's, and that
> works fine independently.
>
> What I have configured in on the ASA is:
>
> Outside interface = outside
> Inside interface = OWNER-INSIDE
>
> !
> interface GigabitEthernet1/1
> nameif outside
> security-level 0
> ip address xx.xx.xx.xx 255.255.255.252
> !
> interface GigabitEthernet1/2
> description INSIDE OWNER UNRESTRICTED ACCESS nameif OWNER-INSIDE
> security-level 100 ip address 10.255.255.253 255.255.255.248 !
>
> object network SW1
> host 10.255.255.252
> object network SW2
> host 10.255.255.251
> object network SW3
> host 10.255.255.250
>
> object-group network SSH_CLIENTS
> network-object object SW1
> network-object object SW2
> network-object object SW3
>
> object network SW1
> nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001 object
> network SW2 nat (outside,OWNER-INSIDE) static interface service tcp ssh
> 22002 object network SW3 nat (outside,OWNER-INSIDE) static interface
> service tcp ssh 22003
>
> access-list ACL_Outside_to_Inside remark SSH Connections to specific
> network objects access-list ACL_Outside_to_Inside extended permit tcp any
> object-group SSH_CLIENTS eq ssh access-list ACL_Outside_to_Inside extended
> deny ip any any
>
> access-group ACL_Outside_to_Inside in interface outside
>
> access-list inside_access_out extended permit ip any any
>
> When I use the ASDM Packet Tracer to test, using the settings, it shows
> the packet traversing successfully. however, when I ssh to IP port 22001,
> it times out.
>
> Hit counters on the access-list do not increase (the did once, but not
> sure where that was in my "testing") access-list ACL_Outside_to_Inside line
> 2 extended permit tcp any object-group SSH_CLIENTS eq ssh (hitcnt=3)
> 0xa4d89883
> access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
> 10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547
> access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
> 10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f
> access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
> 10.255.255.250 eq ssh (hitcnt=0) 0x30601a85
>
> Hit counters on the nat policies do not increase.
> 1 (outside) to (OWNER-INSIDE) source static SW3 interface service tcp ssh
> 22003
> translate_hits = 0, untranslate_hits = 0
> 2 (outside) to (OWNER-INSIDE) source static SW2 interface service tcp ssh
> 22002
> translate_hits = 0, untranslate_hits = 0
> 3 (outside) to (OWNER-INSIDE) source static SW1 interface service tcp ssh
> 22001
> translate_hits = 0, untranslate_hits = 0
>
> Might be a bit over my head, trying to config the ASA for a new customer.
>
> Any ideas as to what I might be doing wrong? or need the entire config?
>
> Thanks,
> Scott
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/
> mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
More information about the cisco-nsp
mailing list