subject:"\[c\-nsp\] SSH through ASA to switch inside"

Re: [c-nsp] SSH through ASA to switch inside

2018-03-06 Thread Nick Cutting

A quick note -  I didn't understand your original question 

The NAT method as others mentioned also works, but I prefer using the VPN for 
the management. 

What I meant by my statement was this is the only way to have traffic cross 
firewall interfaces that is destined to the firewall, not through the firewall 
- which the NAT method would have worked. (as it is not destined TO the 
firewall)
I thought you were trying to manage the ASA on the inside, through the outside 
interface.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott 
Miller
Sent: Tuesday, March 6, 2018 3:38 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] SSH through ASA to switch inside

This message originates from outside of your organisation.

Just to update, I went the VPN route, worked great.  Thank you all.

On Fri, Mar 2, 2018 at 10:54 PM, Nick Cutting <ncutt...@edgetg.com> wrote:

> This only works through a VPN, and only with "management access inside"
> enabled on the inside interface.
>
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf 
> Of Scott Miller
> Sent: Saturday, March 3, 2018 12:47 AM
> To: cisco-nsp@puck.nether.net
> Subject: [c-nsp] SSH through ASA to switch inside
>
> This message originates from outside of your organisation.
>
> Good day all, not sure if this is the right list for a question such 
> as this, but my google searching has hit a dead end.
>
> What I'm try to accomplish is ssh from the outside world, through an 
> ASA, to a switch for remote access to the switch for maintenance and 
> such
>
> SSH is enable don the switch.  and that works fin independently while 
> inside.
> SSH is enabled on the ASA, locked down to a few source IP's, and that 
> works fine independently.
>
> What I have configured in on the ASA is:
>
> Outside interface =  outside
> Inside interface =  OWNER-INSIDE
>
> !
> interface GigabitEthernet1/1
>  nameif outside
>  security-level 0
>  ip address xx.xx.xx.xx 255.255.255.252 !
> interface GigabitEthernet1/2
>  description INSIDE OWNER UNRESTRICTED ACCESS  nameif OWNER-INSIDE 
> security-level 100  ip address 10.255.255.253 255.255.255.248 !
>
> object network SW1
>  host 10.255.255.252
> object network SW2
>  host 10.255.255.251
> object network SW3
>  host 10.255.255.250
>
> object-group network SSH_CLIENTS
>  network-object object SW1
>  network-object object SW2
>  network-object object SW3
>
> object network SW1
>  nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001 
> object network SW2  nat (outside,OWNER-INSIDE) static interface 
> service tcp ssh
> 22002 object network SW3  nat (outside,OWNER-INSIDE) static interface 
> service tcp ssh 22003
>
> access-list ACL_Outside_to_Inside remark SSH Connections to specific 
> network objects access-list ACL_Outside_to_Inside extended permit tcp 
> any object-group SSH_CLIENTS eq ssh access-list ACL_Outside_to_Inside 
> extended deny ip any any
>
> access-group ACL_Outside_to_Inside in interface outside
>
> access-list inside_access_out extended permit ip any any
>
> When I use the ASDM Packet Tracer to test, using the settings, it 
> shows the packet traversing successfully.  however, when I ssh to IP 
> port 22001, it times out.
>
> Hit counters on the access-list do not increase (the did once, but not 
> sure where that was in my "testing") access-list ACL_Outside_to_Inside 
> line
> 2 extended permit tcp any object-group SSH_CLIENTS eq ssh (hitcnt=3)
> 0xa4d89883
>   access-list ACL_Outside_to_Inside line 2 extended permit tcp any 
> host
> 10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547
>   access-list ACL_Outside_to_Inside line 2 extended permit tcp any 
> host
> 10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f
>   access-list ACL_Outside_to_Inside line 2 extended permit tcp any 
> host
> 10.255.255.250 eq ssh (hitcnt=0) 0x30601a85
>
> Hit counters on the nat policies do not increase.
> 1 (outside) to (OWNER-INSIDE) source static SW3 interface  service tcp 
> ssh
> 22003
> translate_hits = 0, untranslate_hits = 0
> 2 (outside) to (OWNER-INSIDE) source static SW2 interface  service tcp 
> ssh
> 22002
> translate_hits = 0, untranslate_hits = 0
> 3 (outside) to (OWNER-INSIDE) source static SW1 interface  service tcp 
> ssh
> 22001
> translate_hits = 0, untranslate_hits = 0
>
> Might be a bit over my head, trying to config the ASA for a new customer.
>
> Any ideas as to what I might be doing wrong?  or need the entire config?
>
> Thanks,
> Scott
> ___
> cisco-nsp mailing list

Re: [c-nsp] SSH through ASA to switch inside

2018-03-06 Thread Scott Miller

Just to update, I went the VPN route, worked great.  Thank you all.

On Fri, Mar 2, 2018 at 10:54 PM, Nick Cutting <ncutt...@edgetg.com> wrote:

> This only works through a VPN, and only with "management access inside"
> enabled on the inside interface.
>
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
> Scott Miller
> Sent: Saturday, March 3, 2018 12:47 AM
> To: cisco-nsp@puck.nether.net
> Subject: [c-nsp] SSH through ASA to switch inside
>
> This message originates from outside of your organisation.
>
> Good day all, not sure if this is the right list for a question such as
> this, but my google searching has hit a dead end.
>
> What I'm try to accomplish is ssh from the outside world, through an ASA,
> to a switch for remote access to the switch for maintenance and such
>
> SSH is enable don the switch.  and that works fin independently while
> inside.
> SSH is enabled on the ASA, locked down to a few source IP's, and that
> works fine independently.
>
> What I have configured in on the ASA is:
>
> Outside interface =  outside
> Inside interface =  OWNER-INSIDE
>
> !
> interface GigabitEthernet1/1
>  nameif outside
>  security-level 0
>  ip address xx.xx.xx.xx 255.255.255.252
> !
> interface GigabitEthernet1/2
>  description INSIDE OWNER UNRESTRICTED ACCESS  nameif OWNER-INSIDE
> security-level 100  ip address 10.255.255.253 255.255.255.248 !
>
> object network SW1
>  host 10.255.255.252
> object network SW2
>  host 10.255.255.251
> object network SW3
>  host 10.255.255.250
>
> object-group network SSH_CLIENTS
>  network-object object SW1
>  network-object object SW2
>  network-object object SW3
>
> object network SW1
>  nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001 object
> network SW2  nat (outside,OWNER-INSIDE) static interface service tcp ssh
> 22002 object network SW3  nat (outside,OWNER-INSIDE) static interface
> service tcp ssh 22003
>
> access-list ACL_Outside_to_Inside remark SSH Connections to specific
> network objects access-list ACL_Outside_to_Inside extended permit tcp any
> object-group SSH_CLIENTS eq ssh access-list ACL_Outside_to_Inside extended
> deny ip any any
>
> access-group ACL_Outside_to_Inside in interface outside
>
> access-list inside_access_out extended permit ip any any
>
> When I use the ASDM Packet Tracer to test, using the settings, it shows
> the packet traversing successfully.  however, when I ssh to IP port 22001,
> it times out.
>
> Hit counters on the access-list do not increase (the did once, but not
> sure where that was in my "testing") access-list ACL_Outside_to_Inside line
> 2 extended permit tcp any object-group SSH_CLIENTS eq ssh (hitcnt=3)
> 0xa4d89883
>   access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
> 10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547
>   access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
> 10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f
>   access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
> 10.255.255.250 eq ssh (hitcnt=0) 0x30601a85
>
> Hit counters on the nat policies do not increase.
> 1 (outside) to (OWNER-INSIDE) source static SW3 interface  service tcp ssh
> 22003
> translate_hits = 0, untranslate_hits = 0
> 2 (outside) to (OWNER-INSIDE) source static SW2 interface  service tcp ssh
> 22002
> translate_hits = 0, untranslate_hits = 0
> 3 (outside) to (OWNER-INSIDE) source static SW1 interface  service tcp ssh
> 22001
> translate_hits = 0, untranslate_hits = 0
>
> Might be a bit over my head, trying to config the ASA for a new customer.
>
> Any ideas as to what I might be doing wrong?  or need the entire config?
>
> Thanks,
> Scott
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net https://puck.nether.net/
> mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SSH through ASA to switch inside

2018-03-03 Thread Randy via cisco-nsp

--- Begin Message ---


Hi Scott,
Looking through what you have posted, it appears you are trying to accomplish 
the following:
1) ssh to port 22001-3 for sw1-3; respectively and have that redirected to port 
22 that sshd on your switches are listening-on; correct?


one of your object-nats as an example:

object network SW1
nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001

Two things need to happen:

Your outside-inbound ACL needs to allow 22001-3 to your switches as opposed to 
ssh (port 22)

Since you are performing object-NAT against the real-switch-IP,


nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001

needs to change to:

nat (OWNER-INSIDE, outside) static interface service tcp ssh 22001

Remember, for auto/object-nat if you specify a service, it specifies the 
service-port that your real-host is listening on and in this case,  host-is 
behind OWNER-INSIDE.

On a separate note:
If you wish your interface-order to be where you started:
nat (outside,OWNER-INSIDE)

You will have to perform twice/manual NAT

./Randy







From: Scott Miller <fordl...@gmail.com>
To: cisco-nsp@puck.nether.net 
Sent: Friday, March 2, 2018 9:47 PM
Subject: [c-nsp] SSH through ASA to switch inside



Good day all, not sure if this is the right list for a question such as

this, but my google searching has hit a dead end.


What I'm try to accomplish is ssh from the outside world, through an ASA,

to a switch for remote access to the switch for maintenance and such


SSH is enable don the switch.  and that works fin independently while

inside.

SSH is enabled on the ASA, locked down to a few source IP's, and that works

fine independently.


What I have configured in on the ASA is:


Outside interface =  outside

Inside interface =  OWNER-INSIDE


!

interface GigabitEthernet1/1

nameif outside

security-level 0

ip address xx.xx.xx.xx 255.255.255.252

!

interface GigabitEthernet1/2

description INSIDE OWNER UNRESTRICTED ACCESS

nameif OWNER-INSIDE

security-level 100

ip address 10.255.255.253 255.255.255.248

!


object network SW1

host 10.255.255.252

object network SW2

host 10.255.255.251

object network SW3

host 10.255.255.250


object-group network SSH_CLIENTS

network-object object SW1

network-object object SW2

network-object object SW3


object network SW1

nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001

object network SW2

nat (outside,OWNER-INSIDE) static interface service tcp ssh 22002

object network SW3

nat (outside,OWNER-INSIDE) static interface service tcp ssh 22003


access-list ACL_Outside_to_Inside remark SSH Connections to specific

network objects

access-list ACL_Outside_to_Inside extended permit tcp any object-group

SSH_CLIENTS eq ssh

access-list ACL_Outside_to_Inside extended deny ip any any


access-group ACL_Outside_to_Inside in interface outside


access-list inside_access_out extended permit ip any any


When I use the ASDM Packet Tracer to test, using the settings, it shows the

packet traversing successfully.  however, when I ssh to IP port 22001, it

times out.


Hit counters on the access-list do not increase (the did once, but not sure

where that was in my "testing")

access-list ACL_Outside_to_Inside line 2 extended permit tcp any

object-group SSH_CLIENTS eq ssh (hitcnt=3) 0xa4d89883

  access-list ACL_Outside_to_Inside line 2 extended permit tcp any host

10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547

  access-list ACL_Outside_to_Inside line 2 extended permit tcp any host

10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f

  access-list ACL_Outside_to_Inside line 2 extended permit tcp any host

10.255.255.250 eq ssh (hitcnt=0) 0x30601a85


Hit counters on the nat policies do not increase.

1 (outside) to (OWNER-INSIDE) source static SW3 interface  service tcp ssh

22003

translate_hits = 0, untranslate_hits = 0

2 (outside) to (OWNER-INSIDE) source static SW2 interface  service tcp ssh

22002

translate_hits = 0, untranslate_hits = 0

3 (outside) to (OWNER-INSIDE) source static SW1 interface  service tcp ssh

22001

translate_hits = 0, untranslate_hits = 0


Might be a bit over my head, trying to config the ASA for a new customer.


Any ideas as to what I might be doing wrong?  or need the entire config?


Thanks,

Scott

___

cisco-nsp mailing list  cisco-nsp@puck.nether.net

https://puck.nether.net/mailman/listinfo/cisco-nsp

archive at http://puck.nether.net/pipermail/cisco-nsp/
--- End Message ---
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SSH through ASA to switch inside

2018-03-03 Thread joshd

Why would you need that?  Just so long as the global/outside ports are
unique, it should be OK, shouldn't it?  Wouldn't the ASA complain about
overlapping NATs if it was actually a problem?


On Sat, Mar 3, 2018 at 2:52 PM, Brian Knight  wrote:

> You need object-based static NAT/PAT.
>
> object network SW1
>   nat (OWNER-INSIDE,outside) static interface service tcp 22001 22001
>
> etc.
>
> Reference: https://www.packet6.com/configuring-nat-for-a-public-server-
> using-same-outside-interface/
>
> -Brian
>
>
>
> On Mar 2, 2018, at 11:46 PM, Scott Miller  wrote:
>
> Good day all, not sure if this is the right list for a question such as
>> this, but my google searching has hit a dead end.
>>
>> What I'm try to accomplish is ssh from the outside world, through an ASA,
>> to a switch for remote access to the switch for maintenance and such
>>
>> SSH is enable don the switch.  and that works fin independently while
>> inside.
>> SSH is enabled on the ASA, locked down to a few source IP's, and that
>> works
>> fine independently.
>>
>> What I have configured in on the ASA is:
>>
>> Outside interface =  outside
>> Inside interface =  OWNER-INSIDE
>>
>> !
>> interface GigabitEthernet1/1
>> nameif outside
>> security-level 0
>> ip address xx.xx.xx.xx 255.255.255.252
>> !
>> interface GigabitEthernet1/2
>> description INSIDE OWNER UNRESTRICTED ACCESS
>> nameif OWNER-INSIDE
>> security-level 100
>> ip address 10.255.255.253 255.255.255.248
>> !
>>
>> object network SW1
>> host 10.255.255.252
>> object network SW2
>> host 10.255.255.251
>> object network SW3
>> host 10.255.255.250
>>
>> object-group network SSH_CLIENTS
>> network-object object SW1
>> network-object object SW2
>> network-object object SW3
>>
>> object network SW1
>> nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001
>> object network SW2
>> nat (outside,OWNER-INSIDE) static interface service tcp ssh 22002
>> object network SW3
>> nat (outside,OWNER-INSIDE) static interface service tcp ssh 22003
>>
>> access-list ACL_Outside_to_Inside remark SSH Connections to specific
>> network objects
>> access-list ACL_Outside_to_Inside extended permit tcp any object-group
>> SSH_CLIENTS eq ssh
>> access-list ACL_Outside_to_Inside extended deny ip any any
>>
>> access-group ACL_Outside_to_Inside in interface outside
>>
>> access-list inside_access_out extended permit ip any any
>>
>> When I use the ASDM Packet Tracer to test, using the settings, it shows
>> the
>> packet traversing successfully.  however, when I ssh to IP port 22001, it
>> times out.
>>
>> Hit counters on the access-list do not increase (the did once, but not
>> sure
>> where that was in my "testing")
>> access-list ACL_Outside_to_Inside line 2 extended permit tcp any
>> object-group SSH_CLIENTS eq ssh (hitcnt=3) 0xa4d89883
>> access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
>> 10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547
>> access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
>> 10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f
>> access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
>> 10.255.255.250 eq ssh (hitcnt=0) 0x30601a85
>>
>> Hit counters on the nat policies do not increase.
>> 1 (outside) to (OWNER-INSIDE) source static SW3 interface  service tcp ssh
>> 22003
>> translate_hits = 0, untranslate_hits = 0
>> 2 (outside) to (OWNER-INSIDE) source static SW2 interface  service tcp ssh
>> 22002
>> translate_hits = 0, untranslate_hits = 0
>> 3 (outside) to (OWNER-INSIDE) source static SW1 interface  service tcp ssh
>> 22001
>> translate_hits = 0, untranslate_hits = 0
>>
>> Might be a bit over my head, trying to config the ASA for a new customer.
>>
>> Any ideas as to what I might be doing wrong?  or need the entire config?
>>
>> Thanks,
>> Scott
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SSH through ASA to switch inside

2018-03-03 Thread Brian Knight


You need object-based static NAT/PAT.

object network SW1
  nat (OWNER-INSIDE,outside) static interface service tcp 22001 22001

etc.

Reference: 
https://www.packet6.com/configuring-nat-for-a-public-server-using-same-outside-interface/


-Brian


On Mar 2, 2018, at 11:46 PM, Scott Miller  wrote:


Good day all, not sure if this is the right list for a question such as
this, but my google searching has hit a dead end.

What I'm try to accomplish is ssh from the outside world, through an 
ASA,

to a switch for remote access to the switch for maintenance and such

SSH is enable don the switch.  and that works fin independently while
inside.
SSH is enabled on the ASA, locked down to a few source IP's, and that 
works

fine independently.

What I have configured in on the ASA is:

Outside interface =  outside
Inside interface =  OWNER-INSIDE

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252
!
interface GigabitEthernet1/2
description INSIDE OWNER UNRESTRICTED ACCESS
nameif OWNER-INSIDE
security-level 100
ip address 10.255.255.253 255.255.255.248
!

object network SW1
host 10.255.255.252
object network SW2
host 10.255.255.251
object network SW3
host 10.255.255.250

object-group network SSH_CLIENTS
network-object object SW1
network-object object SW2
network-object object SW3

object network SW1
nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001
object network SW2
nat (outside,OWNER-INSIDE) static interface service tcp ssh 22002
object network SW3
nat (outside,OWNER-INSIDE) static interface service tcp ssh 22003

access-list ACL_Outside_to_Inside remark SSH Connections to specific
network objects
access-list ACL_Outside_to_Inside extended permit tcp any object-group
SSH_CLIENTS eq ssh
access-list ACL_Outside_to_Inside extended deny ip any any

access-group ACL_Outside_to_Inside in interface outside

access-list inside_access_out extended permit ip any any

When I use the ASDM Packet Tracer to test, using the settings, it shows 
the
packet traversing successfully.  however, when I ssh to IP port 22001, 
it

times out.

Hit counters on the access-list do not increase (the did once, but not 
sure

where that was in my "testing")
access-list ACL_Outside_to_Inside line 2 extended permit tcp any
object-group SSH_CLIENTS eq ssh (hitcnt=3) 0xa4d89883
access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547
access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f
access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
10.255.255.250 eq ssh (hitcnt=0) 0x30601a85

Hit counters on the nat policies do not increase.
1 (outside) to (OWNER-INSIDE) source static SW3 interface  service tcp 
ssh

22003
translate_hits = 0, untranslate_hits = 0
2 (outside) to (OWNER-INSIDE) source static SW2 interface  service tcp 
ssh

22002
translate_hits = 0, untranslate_hits = 0
3 (outside) to (OWNER-INSIDE) source static SW1 interface  service tcp 
ssh

22001
translate_hits = 0, untranslate_hits = 0

Might be a bit over my head, trying to config the ASA for a new 
customer.


Any ideas as to what I might be doing wrong?  or need the entire 
config?


Thanks,
Scott
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SSH through ASA to switch inside

2018-03-02 Thread joshd

Maybe I'm wrong...but this line:
access-list ACL_Outside_to_Inside extended permit tcp any object-group
SSH_CLIENTS eq ssh

is only permitting TCP:22 in.  so if you added:

access-list ACL_Outside_to_Inside extended permit tcp any object-group
SSH_CLIENTS eq  22001
access-list ACL_Outside_to_Inside extended permit tcp any object-group
SSH_CLIENTS eq  22002
access-list ACL_Outside_to_Inside extended permit tcp any object-group
SSH_CLIENTS eq  22003

...then you would be allowing those fancy custom SSH ports you added in
through the ACL.

then assuming your NAT config is right, then it should work.

I'm curious, what exact command are you running when you do the
packet-tracer stuff?



On Fri, Mar 2, 2018 at 11:46 PM, Scott Miller  wrote:

> Good day all, not sure if this is the right list for a question such as
> this, but my google searching has hit a dead end.
>
> What I'm try to accomplish is ssh from the outside world, through an ASA,
> to a switch for remote access to the switch for maintenance and such
>
> SSH is enable don the switch.  and that works fin independently while
> inside.
> SSH is enabled on the ASA, locked down to a few source IP's, and that works
> fine independently.
>
> What I have configured in on the ASA is:
>
> Outside interface =  outside
> Inside interface =  OWNER-INSIDE
>
> !
> interface GigabitEthernet1/1
>  nameif outside
>  security-level 0
>  ip address xx.xx.xx.xx 255.255.255.252
> !
> interface GigabitEthernet1/2
>  description INSIDE OWNER UNRESTRICTED ACCESS
>  nameif OWNER-INSIDE
>  security-level 100
>  ip address 10.255.255.253 255.255.255.248
> !
>
> object network SW1
>  host 10.255.255.252
> object network SW2
>  host 10.255.255.251
> object network SW3
>  host 10.255.255.250
>
> object-group network SSH_CLIENTS
>  network-object object SW1
>  network-object object SW2
>  network-object object SW3
>
> object network SW1
>  nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001
> object network SW2
>  nat (outside,OWNER-INSIDE) static interface service tcp ssh 22002
> object network SW3
>  nat (outside,OWNER-INSIDE) static interface service tcp ssh 22003
>
> access-list ACL_Outside_to_Inside remark SSH Connections to specific
> network objects
> access-list ACL_Outside_to_Inside extended permit tcp any object-group
> SSH_CLIENTS eq ssh
> access-list ACL_Outside_to_Inside extended deny ip any any
>
> access-group ACL_Outside_to_Inside in interface outside
>
> access-list inside_access_out extended permit ip any any
>
> When I use the ASDM Packet Tracer to test, using the settings, it shows the
> packet traversing successfully.  however, when I ssh to IP port 22001, it
> times out.
>
> Hit counters on the access-list do not increase (the did once, but not sure
> where that was in my "testing")
> access-list ACL_Outside_to_Inside line 2 extended permit tcp any
> object-group SSH_CLIENTS eq ssh (hitcnt=3) 0xa4d89883
>   access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
> 10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547
>   access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
> 10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f
>   access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
> 10.255.255.250 eq ssh (hitcnt=0) 0x30601a85
>
> Hit counters on the nat policies do not increase.
> 1 (outside) to (OWNER-INSIDE) source static SW3 interface  service tcp ssh
> 22003
> translate_hits = 0, untranslate_hits = 0
> 2 (outside) to (OWNER-INSIDE) source static SW2 interface  service tcp ssh
> 22002
> translate_hits = 0, untranslate_hits = 0
> 3 (outside) to (OWNER-INSIDE) source static SW1 interface  service tcp ssh
> 22001
> translate_hits = 0, untranslate_hits = 0
>
> Might be a bit over my head, trying to config the ASA for a new customer.
>
> Any ideas as to what I might be doing wrong?  or need the entire config?
>
> Thanks,
> Scott
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SSH through ASA to switch inside

2018-03-02 Thread Nick Cutting

This only works through a VPN, and only with "management access inside" enabled 
on the inside interface.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott 
Miller
Sent: Saturday, March 3, 2018 12:47 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] SSH through ASA to switch inside

This message originates from outside of your organisation.

Good day all, not sure if this is the right list for a question such as this, 
but my google searching has hit a dead end.

What I'm try to accomplish is ssh from the outside world, through an ASA, to a 
switch for remote access to the switch for maintenance and such

SSH is enable don the switch.  and that works fin independently while inside.
SSH is enabled on the ASA, locked down to a few source IP's, and that works 
fine independently.

What I have configured in on the ASA is:

Outside interface =  outside
Inside interface =  OWNER-INSIDE

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.252
!
interface GigabitEthernet1/2
 description INSIDE OWNER UNRESTRICTED ACCESS  nameif OWNER-INSIDE  
security-level 100  ip address 10.255.255.253 255.255.255.248 !

object network SW1
 host 10.255.255.252
object network SW2
 host 10.255.255.251
object network SW3
 host 10.255.255.250

object-group network SSH_CLIENTS
 network-object object SW1
 network-object object SW2
 network-object object SW3

object network SW1
 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001 object 
network SW2  nat (outside,OWNER-INSIDE) static interface service tcp ssh 22002 
object network SW3  nat (outside,OWNER-INSIDE) static interface service tcp ssh 
22003

access-list ACL_Outside_to_Inside remark SSH Connections to specific network 
objects access-list ACL_Outside_to_Inside extended permit tcp any object-group 
SSH_CLIENTS eq ssh access-list ACL_Outside_to_Inside extended deny ip any any

access-group ACL_Outside_to_Inside in interface outside

access-list inside_access_out extended permit ip any any

When I use the ASDM Packet Tracer to test, using the settings, it shows the 
packet traversing successfully.  however, when I ssh to IP port 22001, it times 
out.

Hit counters on the access-list do not increase (the did once, but not sure 
where that was in my "testing") access-list ACL_Outside_to_Inside line 2 
extended permit tcp any object-group SSH_CLIENTS eq ssh (hitcnt=3) 0xa4d89883
  access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547
  access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f
  access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
10.255.255.250 eq ssh (hitcnt=0) 0x30601a85

Hit counters on the nat policies do not increase.
1 (outside) to (OWNER-INSIDE) source static SW3 interface  service tcp ssh
22003
translate_hits = 0, untranslate_hits = 0
2 (outside) to (OWNER-INSIDE) source static SW2 interface  service tcp ssh
22002
translate_hits = 0, untranslate_hits = 0
3 (outside) to (OWNER-INSIDE) source static SW1 interface  service tcp ssh
22001
translate_hits = 0, untranslate_hits = 0

Might be a bit over my head, trying to config the ASA for a new customer.

Any ideas as to what I might be doing wrong?  or need the entire config?

Thanks,
Scott
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] SSH through ASA to switch inside

2018-03-02 Thread Scott Miller

Good day all, not sure if this is the right list for a question such as
this, but my google searching has hit a dead end.

What I'm try to accomplish is ssh from the outside world, through an ASA,
to a switch for remote access to the switch for maintenance and such

SSH is enable don the switch.  and that works fin independently while
inside.
SSH is enabled on the ASA, locked down to a few source IP's, and that works
fine independently.

What I have configured in on the ASA is:

Outside interface =  outside
Inside interface =  OWNER-INSIDE

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.252
!
interface GigabitEthernet1/2
 description INSIDE OWNER UNRESTRICTED ACCESS
 nameif OWNER-INSIDE
 security-level 100
 ip address 10.255.255.253 255.255.255.248
!

object network SW1
 host 10.255.255.252
object network SW2
 host 10.255.255.251
object network SW3
 host 10.255.255.250

object-group network SSH_CLIENTS
 network-object object SW1
 network-object object SW2
 network-object object SW3

object network SW1
 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001
object network SW2
 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22002
object network SW3
 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22003

access-list ACL_Outside_to_Inside remark SSH Connections to specific
network objects
access-list ACL_Outside_to_Inside extended permit tcp any object-group
SSH_CLIENTS eq ssh
access-list ACL_Outside_to_Inside extended deny ip any any

access-group ACL_Outside_to_Inside in interface outside

access-list inside_access_out extended permit ip any any

When I use the ASDM Packet Tracer to test, using the settings, it shows the
packet traversing successfully.  however, when I ssh to IP port 22001, it
times out.

Hit counters on the access-list do not increase (the did once, but not sure
where that was in my "testing")
access-list ACL_Outside_to_Inside line 2 extended permit tcp any
object-group SSH_CLIENTS eq ssh (hitcnt=3) 0xa4d89883
  access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547
  access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f
  access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
10.255.255.250 eq ssh (hitcnt=0) 0x30601a85

Hit counters on the nat policies do not increase.
1 (outside) to (OWNER-INSIDE) source static SW3 interface  service tcp ssh
22003
translate_hits = 0, untranslate_hits = 0
2 (outside) to (OWNER-INSIDE) source static SW2 interface  service tcp ssh
22002
translate_hits = 0, untranslate_hits = 0
3 (outside) to (OWNER-INSIDE) source static SW1 interface  service tcp ssh
22001
translate_hits = 0, untranslate_hits = 0

Might be a bit over my head, trying to config the ASA for a new customer.

Any ideas as to what I might be doing wrong?  or need the entire config?

Thanks,
Scott
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SSH through ASA to switch inside

Re: [c-nsp] SSH through ASA to switch inside

Re: [c-nsp] SSH through ASA to switch inside

Re: [c-nsp] SSH through ASA to switch inside

Re: [c-nsp] SSH through ASA to switch inside

Re: [c-nsp] SSH through ASA to switch inside

Re: [c-nsp] SSH through ASA to switch inside

[c-nsp] SSH through ASA to switch inside

8 matches

Site Navigation

Mail list logo

Footer information