[c-nsp] SSH through ASA to switch inside

joshd jduffek at gmail.com
Sat Mar 3 02:23:52 EST 2018 

Maybe I'm wrong...but this line:
access-list ACL_Outside_to_Inside extended permit tcp any object-group
SSH_CLIENTS eq ssh

is only permitting TCP:22 in.  so if you added:

access-list ACL_Outside_to_Inside extended permit tcp any object-group
SSH_CLIENTS eq  22001
access-list ACL_Outside_to_Inside extended permit tcp any object-group
SSH_CLIENTS eq  22002
access-list ACL_Outside_to_Inside extended permit tcp any object-group
SSH_CLIENTS eq  22003

...then you would be allowing those fancy custom SSH ports you added in
through the ACL.

then assuming your NAT config is right, then it should work.

I'm curious, what exact command are you running when you do the
packet-tracer stuff?



On Fri, Mar 2, 2018 at 11:46 PM, Scott Miller <fordlove at gmail.com> wrote:

> Good day all, not sure if this is the right list for a question such as
> this, but my google searching has hit a dead end.
>
> What I'm try to accomplish is ssh from the outside world, through an ASA,
> to a switch for remote access to the switch for maintenance and such
>
> SSH is enable don the switch.  and that works fin independently while
> inside.
> SSH is enabled on the ASA, locked down to a few source IP's, and that works
> fine independently.
>
> What I have configured in on the ASA is:
>
> Outside interface =  outside
> Inside interface =  OWNER-INSIDE
>
> !
> interface GigabitEthernet1/1
>  nameif outside
>  security-level 0
>  ip address xx.xx.xx.xx 255.255.255.252
> !
> interface GigabitEthernet1/2
>  description INSIDE OWNER UNRESTRICTED ACCESS
>  nameif OWNER-INSIDE
>  security-level 100
>  ip address 10.255.255.253 255.255.255.248
> !
>
> object network SW1
>  host 10.255.255.252
> object network SW2
>  host 10.255.255.251
> object network SW3
>  host 10.255.255.250
>
> object-group network SSH_CLIENTS
>  network-object object SW1
>  network-object object SW2
>  network-object object SW3
>
> object network SW1
>  nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001
> object network SW2
>  nat (outside,OWNER-INSIDE) static interface service tcp ssh 22002
> object network SW3
>  nat (outside,OWNER-INSIDE) static interface service tcp ssh 22003
>
> access-list ACL_Outside_to_Inside remark SSH Connections to specific
> network objects
> access-list ACL_Outside_to_Inside extended permit tcp any object-group
> SSH_CLIENTS eq ssh
> access-list ACL_Outside_to_Inside extended deny ip any any
>
> access-group ACL_Outside_to_Inside in interface outside
>
> access-list inside_access_out extended permit ip any any
>
> When I use the ASDM Packet Tracer to test, using the settings, it shows the
> packet traversing successfully.  however, when I ssh to IP port 22001, it
> times out.
>
> Hit counters on the access-list do not increase (the did once, but not sure
> where that was in my "testing")
> access-list ACL_Outside_to_Inside line 2 extended permit tcp any
> object-group SSH_CLIENTS eq ssh (hitcnt=3) 0xa4d89883
>   access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
> 10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547
>   access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
> 10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f
>   access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
> 10.255.255.250 eq ssh (hitcnt=0) 0x30601a85
>
> Hit counters on the nat policies do not increase.
> 1 (outside) to (OWNER-INSIDE) source static SW3 interface  service tcp ssh
> 22003
>     translate_hits = 0, untranslate_hits = 0
> 2 (outside) to (OWNER-INSIDE) source static SW2 interface  service tcp ssh
> 22002
>     translate_hits = 0, untranslate_hits = 0
> 3 (outside) to (OWNER-INSIDE) source static SW1 interface  service tcp ssh
> 22001
>     translate_hits = 0, untranslate_hits = 0
>
> Might be a bit over my head, trying to config the ASA for a new customer.
>
> Any ideas as to what I might be doing wrong?  or need the entire config?
>
> Thanks,
> Scott
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list