[c-nsp] SSH through ASA to switch inside

Nick Cutting ncutting at edgetg.com
Tue Mar 6 15:59:30 EST 2018 

A quick note -  I didn't understand your original question 

The NAT method as others mentioned also works, but I prefer using the VPN for the management. 

What I meant by my statement was this is the only way to have traffic cross firewall interfaces that is destined to the firewall, not through the firewall - which the NAT method would have worked. (as it is not destined TO the firewall)
I thought you were trying to manage the ASA on the inside, through the outside interface.

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Miller
Sent: Tuesday, March 6, 2018 3:38 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] SSH through ASA to switch inside

This message originates from outside of your organisation.

Just to update, I went the VPN route, worked great.  Thank you all.

On Fri, Mar 2, 2018 at 10:54 PM, Nick Cutting <ncutting at edgetg.com> wrote:

> This only works through a VPN, and only with "management access inside"
> enabled on the inside interface.
>
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf 
> Of Scott Miller
> Sent: Saturday, March 3, 2018 12:47 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] SSH through ASA to switch inside
>
> This message originates from outside of your organisation.
>
> Good day all, not sure if this is the right list for a question such 
> as this, but my google searching has hit a dead end.
>
> What I'm try to accomplish is ssh from the outside world, through an 
> ASA, to a switch for remote access to the switch for maintenance and 
> such
>
> SSH is enable don the switch.  and that works fin independently while 
> inside.
> SSH is enabled on the ASA, locked down to a few source IP's, and that 
> works fine independently.
>
> What I have configured in on the ASA is:
>
> Outside interface =  outside
> Inside interface =  OWNER-INSIDE
>
> !
> interface GigabitEthernet1/1
>  nameif outside
>  security-level 0
>  ip address xx.xx.xx.xx 255.255.255.252 !
> interface GigabitEthernet1/2
>  description INSIDE OWNER UNRESTRICTED ACCESS  nameif OWNER-INSIDE 
> security-level 100  ip address 10.255.255.253 255.255.255.248 !
>
> object network SW1
>  host 10.255.255.252
> object network SW2
>  host 10.255.255.251
> object network SW3
>  host 10.255.255.250
>
> object-group network SSH_CLIENTS
>  network-object object SW1
>  network-object object SW2
>  network-object object SW3
>
> object network SW1
>  nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001 
> object network SW2  nat (outside,OWNER-INSIDE) static interface 
> service tcp ssh
> 22002 object network SW3  nat (outside,OWNER-INSIDE) static interface 
> service tcp ssh 22003
>
> access-list ACL_Outside_to_Inside remark SSH Connections to specific 
> network objects access-list ACL_Outside_to_Inside extended permit tcp 
> any object-group SSH_CLIENTS eq ssh access-list ACL_Outside_to_Inside 
> extended deny ip any any
>
> access-group ACL_Outside_to_Inside in interface outside
>
> access-list inside_access_out extended permit ip any any
>
> When I use the ASDM Packet Tracer to test, using the settings, it 
> shows the packet traversing successfully.  however, when I ssh to IP 
> port 22001, it times out.
>
> Hit counters on the access-list do not increase (the did once, but not 
> sure where that was in my "testing") access-list ACL_Outside_to_Inside 
> line
> 2 extended permit tcp any object-group SSH_CLIENTS eq ssh (hitcnt=3)
> 0xa4d89883
>   access-list ACL_Outside_to_Inside line 2 extended permit tcp any 
> host
> 10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547
>   access-list ACL_Outside_to_Inside line 2 extended permit tcp any 
> host
> 10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f
>   access-list ACL_Outside_to_Inside line 2 extended permit tcp any 
> host
> 10.255.255.250 eq ssh (hitcnt=0) 0x30601a85
>
> Hit counters on the nat policies do not increase.
> 1 (outside) to (OWNER-INSIDE) source static SW3 interface  service tcp 
> ssh
> 22003
>     translate_hits = 0, untranslate_hits = 0
> 2 (outside) to (OWNER-INSIDE) source static SW2 interface  service tcp 
> ssh
> 22002
>     translate_hits = 0, untranslate_hits = 0
> 3 (outside) to (OWNER-INSIDE) source static SW1 interface  service tcp 
> ssh
> 22001
>     translate_hits = 0, untranslate_hits = 0
>
> Might be a bit over my head, trying to config the ASA for a new customer.
>
> Any ideas as to what I might be doing wrong?  or need the entire config?
>
> Thanks,
> Scott
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/ mailman/listinfo/cisco-nsp archive at 
> http://puck.nether.net/pipermail/cisco-nsp/
>
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list