Re: [c-nsp] SSH through ASA to switch inside
A quick note - I didn't understand your original question The NAT method as others mentioned also works, but I prefer using the VPN for the management. What I meant by my statement was this is the only way to have traffic cross firewall interfaces that is destined to the firewall, not through the firewall - which the NAT method would have worked. (as it is not destined TO the firewall) I thought you were trying to manage the ASA on the inside, through the outside interface. -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Miller Sent: Tuesday, March 6, 2018 3:38 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] SSH through ASA to switch inside This message originates from outside of your organisation. Just to update, I went the VPN route, worked great. Thank you all. On Fri, Mar 2, 2018 at 10:54 PM, Nick Cutting wrote: > This only works through a VPN, and only with "management access inside" > enabled on the inside interface. > > -Original Message- > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf > Of Scott Miller > Sent: Saturday, March 3, 2018 12:47 AM > To: cisco-nsp@puck.nether.net > Subject: [c-nsp] SSH through ASA to switch inside > > This message originates from outside of your organisation. > > Good day all, not sure if this is the right list for a question such > as this, but my google searching has hit a dead end. > > What I'm try to accomplish is ssh from the outside world, through an > ASA, to a switch for remote access to the switch for maintenance and > such > > SSH is enable don the switch. and that works fin independently while > inside. > SSH is enabled on the ASA, locked down to a few source IP's, and that > works fine independently. > > What I have configured in on the ASA is: > > Outside interface = outside > Inside interface = OWNER-INSIDE > > ! > interface GigabitEthernet1/1 > nameif outside > security-level 0 > ip address xx.xx.xx.xx 255.255.255.252 ! > interface GigabitEthernet1/2 > description INSIDE OWNER UNRESTRICTED ACCESS nameif OWNER-INSIDE > security-level 100 ip address 10.255.255.253 255.255.255.248 ! > > object network SW1 > host 10.255.255.252 > object network SW2 > host 10.255.255.251 > object network SW3 > host 10.255.255.250 > > object-group network SSH_CLIENTS > network-object object SW1 > network-object object SW2 > network-object object SW3 > > object network SW1 > nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001 > object network SW2 nat (outside,OWNER-INSIDE) static interface > service tcp ssh > 22002 object network SW3 nat (outside,OWNER-INSIDE) static interface > service tcp ssh 22003 > > access-list ACL_Outside_to_Inside remark SSH Connections to specific > network objects access-list ACL_Outside_to_Inside extended permit tcp > any object-group SSH_CLIENTS eq ssh access-list ACL_Outside_to_Inside > extended deny ip any any > > access-group ACL_Outside_to_Inside in interface outside > > access-list inside_access_out extended permit ip any any > > When I use the ASDM Packet Tracer to test, using the settings, it > shows the packet traversing successfully. however, when I ssh to IP > port 22001, it times out. > > Hit counters on the access-list do not increase (the did once, but not > sure where that was in my "testing") access-list ACL_Outside_to_Inside > line > 2 extended permit tcp any object-group SSH_CLIENTS eq ssh (hitcnt=3) > 0xa4d89883 > access-list ACL_Outside_to_Inside line 2 extended permit tcp any > host > 10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547 > access-list ACL_Outside_to_Inside line 2 extended permit tcp any > host > 10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f > access-list ACL_Outside_to_Inside line 2 extended permit tcp any > host > 10.255.255.250 eq ssh (hitcnt=0) 0x30601a85 > > Hit counters on the nat policies do not increase. > 1 (outside) to (OWNER-INSIDE) source static SW3 interface service tcp > ssh > 22003 > translate_hits = 0, untranslate_hits = 0 > 2 (outside) to (OWNER-INSIDE) source static SW2 interface service tcp > ssh > 22002 > translate_hits = 0, untranslate_hits = 0 > 3 (outside) to (OWNER-INSIDE) source static SW1 interface service tcp > ssh > 22001 > translate_hits = 0, untranslate_hits = 0 > > Might be a bit over my head, trying to config the ASA for a new customer. > > Any ideas as to what I might be doing wrong? or need the entire config? > > Thanks, > Scott > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nethe
Re: [c-nsp] SSH through ASA to switch inside
Just to update, I went the VPN route, worked great. Thank you all. On Fri, Mar 2, 2018 at 10:54 PM, Nick Cutting wrote: > This only works through a VPN, and only with "management access inside" > enabled on the inside interface. > > -Original Message- > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of > Scott Miller > Sent: Saturday, March 3, 2018 12:47 AM > To: cisco-nsp@puck.nether.net > Subject: [c-nsp] SSH through ASA to switch inside > > This message originates from outside of your organisation. > > Good day all, not sure if this is the right list for a question such as > this, but my google searching has hit a dead end. > > What I'm try to accomplish is ssh from the outside world, through an ASA, > to a switch for remote access to the switch for maintenance and such > > SSH is enable don the switch. and that works fin independently while > inside. > SSH is enabled on the ASA, locked down to a few source IP's, and that > works fine independently. > > What I have configured in on the ASA is: > > Outside interface = outside > Inside interface = OWNER-INSIDE > > ! > interface GigabitEthernet1/1 > nameif outside > security-level 0 > ip address xx.xx.xx.xx 255.255.255.252 > ! > interface GigabitEthernet1/2 > description INSIDE OWNER UNRESTRICTED ACCESS nameif OWNER-INSIDE > security-level 100 ip address 10.255.255.253 255.255.255.248 ! > > object network SW1 > host 10.255.255.252 > object network SW2 > host 10.255.255.251 > object network SW3 > host 10.255.255.250 > > object-group network SSH_CLIENTS > network-object object SW1 > network-object object SW2 > network-object object SW3 > > object network SW1 > nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001 object > network SW2 nat (outside,OWNER-INSIDE) static interface service tcp ssh > 22002 object network SW3 nat (outside,OWNER-INSIDE) static interface > service tcp ssh 22003 > > access-list ACL_Outside_to_Inside remark SSH Connections to specific > network objects access-list ACL_Outside_to_Inside extended permit tcp any > object-group SSH_CLIENTS eq ssh access-list ACL_Outside_to_Inside extended > deny ip any any > > access-group ACL_Outside_to_Inside in interface outside > > access-list inside_access_out extended permit ip any any > > When I use the ASDM Packet Tracer to test, using the settings, it shows > the packet traversing successfully. however, when I ssh to IP port 22001, > it times out. > > Hit counters on the access-list do not increase (the did once, but not > sure where that was in my "testing") access-list ACL_Outside_to_Inside line > 2 extended permit tcp any object-group SSH_CLIENTS eq ssh (hitcnt=3) > 0xa4d89883 > access-list ACL_Outside_to_Inside line 2 extended permit tcp any host > 10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547 > access-list ACL_Outside_to_Inside line 2 extended permit tcp any host > 10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f > access-list ACL_Outside_to_Inside line 2 extended permit tcp any host > 10.255.255.250 eq ssh (hitcnt=0) 0x30601a85 > > Hit counters on the nat policies do not increase. > 1 (outside) to (OWNER-INSIDE) source static SW3 interface service tcp ssh > 22003 > translate_hits = 0, untranslate_hits = 0 > 2 (outside) to (OWNER-INSIDE) source static SW2 interface service tcp ssh > 22002 > translate_hits = 0, untranslate_hits = 0 > 3 (outside) to (OWNER-INSIDE) source static SW1 interface service tcp ssh > 22001 > translate_hits = 0, untranslate_hits = 0 > > Might be a bit over my head, trying to config the ASA for a new customer. > > Any ideas as to what I might be doing wrong? or need the entire config? > > Thanks, > Scott > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/ > mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SSH through ASA to switch inside
--- Begin Message --- Hi Scott, Looking through what you have posted, it appears you are trying to accomplish the following: 1) ssh to port 22001-3 for sw1-3; respectively and have that redirected to port 22 that sshd on your switches are listening-on; correct? one of your object-nats as an example: object network SW1 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001 Two things need to happen: Your outside-inbound ACL needs to allow 22001-3 to your switches as opposed to ssh (port 22) Since you are performing object-NAT against the real-switch-IP, nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001 needs to change to: nat (OWNER-INSIDE, outside) static interface service tcp ssh 22001 Remember, for auto/object-nat if you specify a service, it specifies the service-port that your real-host is listening on and in this case, host-is behind OWNER-INSIDE. On a separate note: If you wish your interface-order to be where you started: nat (outside,OWNER-INSIDE) You will have to perform twice/manual NAT ./Randy From: Scott Miller To: cisco-nsp@puck.nether.net Sent: Friday, March 2, 2018 9:47 PM Subject: [c-nsp] SSH through ASA to switch inside Good day all, not sure if this is the right list for a question such as this, but my google searching has hit a dead end. What I'm try to accomplish is ssh from the outside world, through an ASA, to a switch for remote access to the switch for maintenance and such SSH is enable don the switch. and that works fin independently while inside. SSH is enabled on the ASA, locked down to a few source IP's, and that works fine independently. What I have configured in on the ASA is: Outside interface = outside Inside interface = OWNER-INSIDE ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address xx.xx.xx.xx 255.255.255.252 ! interface GigabitEthernet1/2 description INSIDE OWNER UNRESTRICTED ACCESS nameif OWNER-INSIDE security-level 100 ip address 10.255.255.253 255.255.255.248 ! object network SW1 host 10.255.255.252 object network SW2 host 10.255.255.251 object network SW3 host 10.255.255.250 object-group network SSH_CLIENTS network-object object SW1 network-object object SW2 network-object object SW3 object network SW1 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001 object network SW2 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22002 object network SW3 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22003 access-list ACL_Outside_to_Inside remark SSH Connections to specific network objects access-list ACL_Outside_to_Inside extended permit tcp any object-group SSH_CLIENTS eq ssh access-list ACL_Outside_to_Inside extended deny ip any any access-group ACL_Outside_to_Inside in interface outside access-list inside_access_out extended permit ip any any When I use the ASDM Packet Tracer to test, using the settings, it shows the packet traversing successfully. however, when I ssh to IP port 22001, it times out. Hit counters on the access-list do not increase (the did once, but not sure where that was in my "testing") access-list ACL_Outside_to_Inside line 2 extended permit tcp any object-group SSH_CLIENTS eq ssh (hitcnt=3) 0xa4d89883 access-list ACL_Outside_to_Inside line 2 extended permit tcp any host 10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547 access-list ACL_Outside_to_Inside line 2 extended permit tcp any host 10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f access-list ACL_Outside_to_Inside line 2 extended permit tcp any host 10.255.255.250 eq ssh (hitcnt=0) 0x30601a85 Hit counters on the nat policies do not increase. 1 (outside) to (OWNER-INSIDE) source static SW3 interface service tcp ssh 22003 translate_hits = 0, untranslate_hits = 0 2 (outside) to (OWNER-INSIDE) source static SW2 interface service tcp ssh 22002 translate_hits = 0, untranslate_hits = 0 3 (outside) to (OWNER-INSIDE) source static SW1 interface service tcp ssh 22001 translate_hits = 0, untranslate_hits = 0 Might be a bit over my head, trying to config the ASA for a new customer. Any ideas as to what I might be doing wrong? or need the entire config? Thanks, Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ --- End Message --- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SSH through ASA to switch inside
Why would you need that? Just so long as the global/outside ports are unique, it should be OK, shouldn't it? Wouldn't the ASA complain about overlapping NATs if it was actually a problem? On Sat, Mar 3, 2018 at 2:52 PM, Brian Knight wrote: > You need object-based static NAT/PAT. > > object network SW1 > nat (OWNER-INSIDE,outside) static interface service tcp 22001 22001 > > etc. > > Reference: https://www.packet6.com/configuring-nat-for-a-public-server- > using-same-outside-interface/ > > -Brian > > > > On Mar 2, 2018, at 11:46 PM, Scott Miller wrote: > > Good day all, not sure if this is the right list for a question such as >> this, but my google searching has hit a dead end. >> >> What I'm try to accomplish is ssh from the outside world, through an ASA, >> to a switch for remote access to the switch for maintenance and such >> >> SSH is enable don the switch. and that works fin independently while >> inside. >> SSH is enabled on the ASA, locked down to a few source IP's, and that >> works >> fine independently. >> >> What I have configured in on the ASA is: >> >> Outside interface = outside >> Inside interface = OWNER-INSIDE >> >> ! >> interface GigabitEthernet1/1 >> nameif outside >> security-level 0 >> ip address xx.xx.xx.xx 255.255.255.252 >> ! >> interface GigabitEthernet1/2 >> description INSIDE OWNER UNRESTRICTED ACCESS >> nameif OWNER-INSIDE >> security-level 100 >> ip address 10.255.255.253 255.255.255.248 >> ! >> >> object network SW1 >> host 10.255.255.252 >> object network SW2 >> host 10.255.255.251 >> object network SW3 >> host 10.255.255.250 >> >> object-group network SSH_CLIENTS >> network-object object SW1 >> network-object object SW2 >> network-object object SW3 >> >> object network SW1 >> nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001 >> object network SW2 >> nat (outside,OWNER-INSIDE) static interface service tcp ssh 22002 >> object network SW3 >> nat (outside,OWNER-INSIDE) static interface service tcp ssh 22003 >> >> access-list ACL_Outside_to_Inside remark SSH Connections to specific >> network objects >> access-list ACL_Outside_to_Inside extended permit tcp any object-group >> SSH_CLIENTS eq ssh >> access-list ACL_Outside_to_Inside extended deny ip any any >> >> access-group ACL_Outside_to_Inside in interface outside >> >> access-list inside_access_out extended permit ip any any >> >> When I use the ASDM Packet Tracer to test, using the settings, it shows >> the >> packet traversing successfully. however, when I ssh to IP port 22001, it >> times out. >> >> Hit counters on the access-list do not increase (the did once, but not >> sure >> where that was in my "testing") >> access-list ACL_Outside_to_Inside line 2 extended permit tcp any >> object-group SSH_CLIENTS eq ssh (hitcnt=3) 0xa4d89883 >> access-list ACL_Outside_to_Inside line 2 extended permit tcp any host >> 10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547 >> access-list ACL_Outside_to_Inside line 2 extended permit tcp any host >> 10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f >> access-list ACL_Outside_to_Inside line 2 extended permit tcp any host >> 10.255.255.250 eq ssh (hitcnt=0) 0x30601a85 >> >> Hit counters on the nat policies do not increase. >> 1 (outside) to (OWNER-INSIDE) source static SW3 interface service tcp ssh >> 22003 >> translate_hits = 0, untranslate_hits = 0 >> 2 (outside) to (OWNER-INSIDE) source static SW2 interface service tcp ssh >> 22002 >> translate_hits = 0, untranslate_hits = 0 >> 3 (outside) to (OWNER-INSIDE) source static SW1 interface service tcp ssh >> 22001 >> translate_hits = 0, untranslate_hits = 0 >> >> Might be a bit over my head, trying to config the ASA for a new customer. >> >> Any ideas as to what I might be doing wrong? or need the entire config? >> >> Thanks, >> Scott >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SSH through ASA to switch inside
You need object-based static NAT/PAT. object network SW1 nat (OWNER-INSIDE,outside) static interface service tcp 22001 22001 etc. Reference: https://www.packet6.com/configuring-nat-for-a-public-server-using-same-outside-interface/ -Brian On Mar 2, 2018, at 11:46 PM, Scott Miller wrote: Good day all, not sure if this is the right list for a question such as this, but my google searching has hit a dead end. What I'm try to accomplish is ssh from the outside world, through an ASA, to a switch for remote access to the switch for maintenance and such SSH is enable don the switch. and that works fin independently while inside. SSH is enabled on the ASA, locked down to a few source IP's, and that works fine independently. What I have configured in on the ASA is: Outside interface = outside Inside interface = OWNER-INSIDE ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address xx.xx.xx.xx 255.255.255.252 ! interface GigabitEthernet1/2 description INSIDE OWNER UNRESTRICTED ACCESS nameif OWNER-INSIDE security-level 100 ip address 10.255.255.253 255.255.255.248 ! object network SW1 host 10.255.255.252 object network SW2 host 10.255.255.251 object network SW3 host 10.255.255.250 object-group network SSH_CLIENTS network-object object SW1 network-object object SW2 network-object object SW3 object network SW1 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001 object network SW2 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22002 object network SW3 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22003 access-list ACL_Outside_to_Inside remark SSH Connections to specific network objects access-list ACL_Outside_to_Inside extended permit tcp any object-group SSH_CLIENTS eq ssh access-list ACL_Outside_to_Inside extended deny ip any any access-group ACL_Outside_to_Inside in interface outside access-list inside_access_out extended permit ip any any When I use the ASDM Packet Tracer to test, using the settings, it shows the packet traversing successfully. however, when I ssh to IP port 22001, it times out. Hit counters on the access-list do not increase (the did once, but not sure where that was in my "testing") access-list ACL_Outside_to_Inside line 2 extended permit tcp any object-group SSH_CLIENTS eq ssh (hitcnt=3) 0xa4d89883 access-list ACL_Outside_to_Inside line 2 extended permit tcp any host 10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547 access-list ACL_Outside_to_Inside line 2 extended permit tcp any host 10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f access-list ACL_Outside_to_Inside line 2 extended permit tcp any host 10.255.255.250 eq ssh (hitcnt=0) 0x30601a85 Hit counters on the nat policies do not increase. 1 (outside) to (OWNER-INSIDE) source static SW3 interface service tcp ssh 22003 translate_hits = 0, untranslate_hits = 0 2 (outside) to (OWNER-INSIDE) source static SW2 interface service tcp ssh 22002 translate_hits = 0, untranslate_hits = 0 3 (outside) to (OWNER-INSIDE) source static SW1 interface service tcp ssh 22001 translate_hits = 0, untranslate_hits = 0 Might be a bit over my head, trying to config the ASA for a new customer. Any ideas as to what I might be doing wrong? or need the entire config? Thanks, Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SSH through ASA to switch inside
Maybe I'm wrong...but this line: access-list ACL_Outside_to_Inside extended permit tcp any object-group SSH_CLIENTS eq ssh is only permitting TCP:22 in. so if you added: access-list ACL_Outside_to_Inside extended permit tcp any object-group SSH_CLIENTS eq 22001 access-list ACL_Outside_to_Inside extended permit tcp any object-group SSH_CLIENTS eq 22002 access-list ACL_Outside_to_Inside extended permit tcp any object-group SSH_CLIENTS eq 22003 ...then you would be allowing those fancy custom SSH ports you added in through the ACL. then assuming your NAT config is right, then it should work. I'm curious, what exact command are you running when you do the packet-tracer stuff? On Fri, Mar 2, 2018 at 11:46 PM, Scott Miller wrote: > Good day all, not sure if this is the right list for a question such as > this, but my google searching has hit a dead end. > > What I'm try to accomplish is ssh from the outside world, through an ASA, > to a switch for remote access to the switch for maintenance and such > > SSH is enable don the switch. and that works fin independently while > inside. > SSH is enabled on the ASA, locked down to a few source IP's, and that works > fine independently. > > What I have configured in on the ASA is: > > Outside interface = outside > Inside interface = OWNER-INSIDE > > ! > interface GigabitEthernet1/1 > nameif outside > security-level 0 > ip address xx.xx.xx.xx 255.255.255.252 > ! > interface GigabitEthernet1/2 > description INSIDE OWNER UNRESTRICTED ACCESS > nameif OWNER-INSIDE > security-level 100 > ip address 10.255.255.253 255.255.255.248 > ! > > object network SW1 > host 10.255.255.252 > object network SW2 > host 10.255.255.251 > object network SW3 > host 10.255.255.250 > > object-group network SSH_CLIENTS > network-object object SW1 > network-object object SW2 > network-object object SW3 > > object network SW1 > nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001 > object network SW2 > nat (outside,OWNER-INSIDE) static interface service tcp ssh 22002 > object network SW3 > nat (outside,OWNER-INSIDE) static interface service tcp ssh 22003 > > access-list ACL_Outside_to_Inside remark SSH Connections to specific > network objects > access-list ACL_Outside_to_Inside extended permit tcp any object-group > SSH_CLIENTS eq ssh > access-list ACL_Outside_to_Inside extended deny ip any any > > access-group ACL_Outside_to_Inside in interface outside > > access-list inside_access_out extended permit ip any any > > When I use the ASDM Packet Tracer to test, using the settings, it shows the > packet traversing successfully. however, when I ssh to IP port 22001, it > times out. > > Hit counters on the access-list do not increase (the did once, but not sure > where that was in my "testing") > access-list ACL_Outside_to_Inside line 2 extended permit tcp any > object-group SSH_CLIENTS eq ssh (hitcnt=3) 0xa4d89883 > access-list ACL_Outside_to_Inside line 2 extended permit tcp any host > 10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547 > access-list ACL_Outside_to_Inside line 2 extended permit tcp any host > 10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f > access-list ACL_Outside_to_Inside line 2 extended permit tcp any host > 10.255.255.250 eq ssh (hitcnt=0) 0x30601a85 > > Hit counters on the nat policies do not increase. > 1 (outside) to (OWNER-INSIDE) source static SW3 interface service tcp ssh > 22003 > translate_hits = 0, untranslate_hits = 0 > 2 (outside) to (OWNER-INSIDE) source static SW2 interface service tcp ssh > 22002 > translate_hits = 0, untranslate_hits = 0 > 3 (outside) to (OWNER-INSIDE) source static SW1 interface service tcp ssh > 22001 > translate_hits = 0, untranslate_hits = 0 > > Might be a bit over my head, trying to config the ASA for a new customer. > > Any ideas as to what I might be doing wrong? or need the entire config? > > Thanks, > Scott > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SSH through ASA to switch inside
This only works through a VPN, and only with "management access inside" enabled on the inside interface. -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Miller Sent: Saturday, March 3, 2018 12:47 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] SSH through ASA to switch inside This message originates from outside of your organisation. Good day all, not sure if this is the right list for a question such as this, but my google searching has hit a dead end. What I'm try to accomplish is ssh from the outside world, through an ASA, to a switch for remote access to the switch for maintenance and such SSH is enable don the switch. and that works fin independently while inside. SSH is enabled on the ASA, locked down to a few source IP's, and that works fine independently. What I have configured in on the ASA is: Outside interface = outside Inside interface = OWNER-INSIDE ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address xx.xx.xx.xx 255.255.255.252 ! interface GigabitEthernet1/2 description INSIDE OWNER UNRESTRICTED ACCESS nameif OWNER-INSIDE security-level 100 ip address 10.255.255.253 255.255.255.248 ! object network SW1 host 10.255.255.252 object network SW2 host 10.255.255.251 object network SW3 host 10.255.255.250 object-group network SSH_CLIENTS network-object object SW1 network-object object SW2 network-object object SW3 object network SW1 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001 object network SW2 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22002 object network SW3 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22003 access-list ACL_Outside_to_Inside remark SSH Connections to specific network objects access-list ACL_Outside_to_Inside extended permit tcp any object-group SSH_CLIENTS eq ssh access-list ACL_Outside_to_Inside extended deny ip any any access-group ACL_Outside_to_Inside in interface outside access-list inside_access_out extended permit ip any any When I use the ASDM Packet Tracer to test, using the settings, it shows the packet traversing successfully. however, when I ssh to IP port 22001, it times out. Hit counters on the access-list do not increase (the did once, but not sure where that was in my "testing") access-list ACL_Outside_to_Inside line 2 extended permit tcp any object-group SSH_CLIENTS eq ssh (hitcnt=3) 0xa4d89883 access-list ACL_Outside_to_Inside line 2 extended permit tcp any host 10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547 access-list ACL_Outside_to_Inside line 2 extended permit tcp any host 10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f access-list ACL_Outside_to_Inside line 2 extended permit tcp any host 10.255.255.250 eq ssh (hitcnt=0) 0x30601a85 Hit counters on the nat policies do not increase. 1 (outside) to (OWNER-INSIDE) source static SW3 interface service tcp ssh 22003 translate_hits = 0, untranslate_hits = 0 2 (outside) to (OWNER-INSIDE) source static SW2 interface service tcp ssh 22002 translate_hits = 0, untranslate_hits = 0 3 (outside) to (OWNER-INSIDE) source static SW1 interface service tcp ssh 22001 translate_hits = 0, untranslate_hits = 0 Might be a bit over my head, trying to config the ASA for a new customer. Any ideas as to what I might be doing wrong? or need the entire config? Thanks, Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SSH through ASA to switch inside
Good day all, not sure if this is the right list for a question such as this, but my google searching has hit a dead end. What I'm try to accomplish is ssh from the outside world, through an ASA, to a switch for remote access to the switch for maintenance and such SSH is enable don the switch. and that works fin independently while inside. SSH is enabled on the ASA, locked down to a few source IP's, and that works fine independently. What I have configured in on the ASA is: Outside interface = outside Inside interface = OWNER-INSIDE ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address xx.xx.xx.xx 255.255.255.252 ! interface GigabitEthernet1/2 description INSIDE OWNER UNRESTRICTED ACCESS nameif OWNER-INSIDE security-level 100 ip address 10.255.255.253 255.255.255.248 ! object network SW1 host 10.255.255.252 object network SW2 host 10.255.255.251 object network SW3 host 10.255.255.250 object-group network SSH_CLIENTS network-object object SW1 network-object object SW2 network-object object SW3 object network SW1 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001 object network SW2 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22002 object network SW3 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22003 access-list ACL_Outside_to_Inside remark SSH Connections to specific network objects access-list ACL_Outside_to_Inside extended permit tcp any object-group SSH_CLIENTS eq ssh access-list ACL_Outside_to_Inside extended deny ip any any access-group ACL_Outside_to_Inside in interface outside access-list inside_access_out extended permit ip any any When I use the ASDM Packet Tracer to test, using the settings, it shows the packet traversing successfully. however, when I ssh to IP port 22001, it times out. Hit counters on the access-list do not increase (the did once, but not sure where that was in my "testing") access-list ACL_Outside_to_Inside line 2 extended permit tcp any object-group SSH_CLIENTS eq ssh (hitcnt=3) 0xa4d89883 access-list ACL_Outside_to_Inside line 2 extended permit tcp any host 10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547 access-list ACL_Outside_to_Inside line 2 extended permit tcp any host 10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f access-list ACL_Outside_to_Inside line 2 extended permit tcp any host 10.255.255.250 eq ssh (hitcnt=0) 0x30601a85 Hit counters on the nat policies do not increase. 1 (outside) to (OWNER-INSIDE) source static SW3 interface service tcp ssh 22003 translate_hits = 0, untranslate_hits = 0 2 (outside) to (OWNER-INSIDE) source static SW2 interface service tcp ssh 22002 translate_hits = 0, untranslate_hits = 0 3 (outside) to (OWNER-INSIDE) source static SW1 interface service tcp ssh 22001 translate_hits = 0, untranslate_hits = 0 Might be a bit over my head, trying to config the ASA for a new customer. Any ideas as to what I might be doing wrong? or need the entire config? Thanks, Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/