12-21-2016 09:05 PM - edited 03-12-2019 01:41 AM
Hi Team,
I have an ASA5505 connected to the internet through a WAN Modem. The model assigns DHCP IP (which is a public IP) to the Eth 0/0 port of the ASA5505. I have configured Eth0/0 with VLAN 1 for outside.
Eth0/1 is configured for VLAN 2 which is for inside, DHCP enabled on it with a range for 10.0.0.0-10.0.0.254 to be assigned to local devices.
I now want to be able to access ASA5505 from the internet (since the IP at the ASA is a public IP).
Can somebody please help me how to configure the firewall to be accessed through SSH/Telnet.
Moreover, is there
Appreciate your time.
Thanks,
12-21-2016 09:15 PM
On ASA the ssh/telnet has to be on the interface "nameif". On the lowest security level interface on ASA, in this case "outside", you can't enable telnet but only SSH.
Command will be
ssh <IP that you need to allow to SSH> <net-mask> outside
Also for SSH generate the general usage key
12-21-2016 10:21 PM
What if I want to access the ASA from the internet and have no specific IP to specify to enable SSH?
Since I want it to be accessible through internet so I may be coming from different IP Addresses all the time.
What do you suggest?
Thanks,
12-21-2016 10:45 PM
That's tricky....You will need to identify the IP address from which you will be accessing from outside. Else you will have to summarize the network.
Say you are have any idea that your IP address starts with range, 100.1.1.0/24, you can use
ssh 100.1.1.0 255.255.255.0 outside
or else you will have to use
ssh 0 0 outside/////Note with this any one can SSH from outside.Need your discretion on this.
last option:- You can use anyconnect VPN. Please see link below:-
http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/118092-configure-asa-00.html
12-22-2016 12:27 AM
ssh 0 0 outside/////Note with this
Do you have any suggestions on making the devices that are connected
Thanks,
12-22-2016 12:52 AM
yes, you can do that will port translation, but if you have no dedicated public IP address , then for specific services. For example , if you want to RDP to internal server
object network 10.1.1.1-obj
host 10.1.1.1
nat(inside,outside) static interface service tcp 3389 3389
Also need to apply access-list on outside intterface
access-list out permit tcp any host 10.1.1.1 eq 3389
access-g out in interface outside
12-21-2016 09:29 PM
Hello,
For management access (ssh,telnet,asdm), please follow below link:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/access_management.html
As already mentioned by Pranay, telnet won't work from interface with lowest security level, which would be your outside interface in this case.
Now, for the second requirement, what you need is static pat so that you can access internal servers on specific ports from outside:
You have not mentioned the ASA version. Assuming that its 8.3 onwards, below link shows an example of such requirement:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html#anc12
Let me know if you are running 8.2 version and I can provide an example for that as well.
HTH
-
AJ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide