12-03-2018 10:08 AM - edited 02-21-2020 08:32 AM
I'm using ASA 5506-X. I have an external network, whose computers need to SSH into the ASA. To do this I configured:
ssh x.x.x.x x.x.x.x outside
Where x.x.x.x x.x.x.x is the external address range of the outside network somewhere else in the world.
With this config, I think the outside interface will then allow connections with the above range coming from the internet (i.e. no VPN needed for SSH). But, please correct me if I'm wrong.
Then, to be able to have the SSH reach the inside interfaces also, I simply add the config:
management-access inside
Finally, there is a mysterious config from a previous administrator. It uses a private-address on the outside interface:
ssh 10.x.x.x x. 255.255.252.0 outside
What is the purpose of allowing SSH on an outside interface for an private address? Why was that config likely put on the device??
Solved! Go to Solution.
12-04-2018 03:11 PM
full config for ssh to asa on outside interface:
username admin password cisco priv 15
aaa authentication ssh console LOCAL
ssh 172.27.1.5 255.255.255.255 outside - this is your source network
crypto key generate rsa modulus 1024
sh ssh sessions - see who is connected
regarding private address on the outside - this can be used if the interface connected to a corporate network that had that network as the source.
please accept as solution if it was so :)
regards, mk
12-03-2018 11:12 AM - edited 12-03-2018 11:14 AM
Try this
aaa authentication ssh console LOCAL
!
username admin password Cisco priv 15
!
ssh outside x.xx.x x.x.xx
in regards to outside interface with RFC1918 doesn’t make sense.
might he don’t no what he doing
12-04-2018 03:11 PM
full config for ssh to asa on outside interface:
username admin password cisco priv 15
aaa authentication ssh console LOCAL
ssh 172.27.1.5 255.255.255.255 outside - this is your source network
crypto key generate rsa modulus 1024
sh ssh sessions - see who is connected
regarding private address on the outside - this can be used if the interface connected to a corporate network that had that network as the source.
please accept as solution if it was so :)
regards, mk
12-05-2018 08:37 AM
I see in the object-group configs there is a network object group that includes the private address referenced in ssh as the RFC1918 address. This object-group is mapped to the device by an IPsec VPN tunnel.
So I suppose this would allow SSH on inside devices to go through the tunnel instead of through the unprotected internet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide