[c-nsp] SSH through ASA to switch inside

Randy randy_94108 at yahoo.com
Sat Mar 3 18:34:59 EST 2018 


Hi Scott,
Looking through what you have posted, it appears you are trying to accomplish the following:
1) ssh to port 22001-3 for sw1-3; respectively and have that redirected to port 22 that sshd on your switches are listening-on; correct?


one of your object-nats as an example:

object network SW1
nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001

Two things need to happen:

Your outside-inbound ACL needs to allow 22001-3 to your switches as opposed to ssh (port 22)

Since you are performing object-NAT against the real-switch-IP,


nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001

needs to change to:

nat (OWNER-INSIDE, outside) static interface service tcp ssh 22001

Remember, for auto/object-nat if you specify a service, it specifies the service-port that your real-host is listening on and in this case,  host-is behind OWNER-INSIDE.

On a separate note:
If you wish your interface-order to be where you started:
nat (outside,OWNER-INSIDE)

You will have to perform twice/manual NAT

./Randy






________________________________
From: Scott Miller <fordlove at gmail.com>
To: cisco-nsp at puck.nether.net 
Sent: Friday, March 2, 2018 9:47 PM
Subject: [c-nsp] SSH through ASA to switch inside



Good day all, not sure if this is the right list for a question such as

this, but my google searching has hit a dead end.


What I'm try to accomplish is ssh from the outside world, through an ASA,

to a switch for remote access to the switch for maintenance and such


SSH is enable don the switch.  and that works fin independently while

inside.

SSH is enabled on the ASA, locked down to a few source IP's, and that works

fine independently.


What I have configured in on the ASA is:


Outside interface =  outside

Inside interface =  OWNER-INSIDE


!

interface GigabitEthernet1/1

nameif outside

security-level 0

ip address xx.xx.xx.xx 255.255.255.252

!

interface GigabitEthernet1/2

description INSIDE OWNER UNRESTRICTED ACCESS

nameif OWNER-INSIDE

security-level 100

ip address 10.255.255.253 255.255.255.248

!


object network SW1

host 10.255.255.252

object network SW2

host 10.255.255.251

object network SW3

host 10.255.255.250


object-group network SSH_CLIENTS

network-object object SW1

network-object object SW2

network-object object SW3


object network SW1

nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001

object network SW2

nat (outside,OWNER-INSIDE) static interface service tcp ssh 22002

object network SW3

nat (outside,OWNER-INSIDE) static interface service tcp ssh 22003


access-list ACL_Outside_to_Inside remark SSH Connections to specific

network objects

access-list ACL_Outside_to_Inside extended permit tcp any object-group

SSH_CLIENTS eq ssh

access-list ACL_Outside_to_Inside extended deny ip any any


access-group ACL_Outside_to_Inside in interface outside


access-list inside_access_out extended permit ip any any


When I use the ASDM Packet Tracer to test, using the settings, it shows the

packet traversing successfully.  however, when I ssh to IP port 22001, it

times out.


Hit counters on the access-list do not increase (the did once, but not sure

where that was in my "testing")

access-list ACL_Outside_to_Inside line 2 extended permit tcp any

object-group SSH_CLIENTS eq ssh (hitcnt=3) 0xa4d89883

  access-list ACL_Outside_to_Inside line 2 extended permit tcp any host

10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547

  access-list ACL_Outside_to_Inside line 2 extended permit tcp any host

10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f

  access-list ACL_Outside_to_Inside line 2 extended permit tcp any host

10.255.255.250 eq ssh (hitcnt=0) 0x30601a85


Hit counters on the nat policies do not increase.

1 (outside) to (OWNER-INSIDE) source static SW3 interface  service tcp ssh

22003

    translate_hits = 0, untranslate_hits = 0

2 (outside) to (OWNER-INSIDE) source static SW2 interface  service tcp ssh

22002

    translate_hits = 0, untranslate_hits = 0

3 (outside) to (OWNER-INSIDE) source static SW1 interface  service tcp ssh

22001

    translate_hits = 0, untranslate_hits = 0


Might be a bit over my head, trying to config the ASA for a new customer.


Any ideas as to what I might be doing wrong?  or need the entire config?


Thanks,

Scott

_______________________________________________

cisco-nsp mailing list  cisco-nsp at puck.nether.net

https://puck.nether.net/mailman/listinfo/cisco-nsp

archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list