enabling SSH/Telnet Access at ASA5505 from outside

abbas.haider · ‎12-21-2016

Hi Team,

I have an ASA5505 connected to the internet through a WAN Modem. The model assigns DHCP IP (which is a public IP) to the Eth 0/0 port of the ASA5505. I have configured Eth0/0 with VLAN 1 for outside. dhcp enabled so it gets the IP from the modem.

Eth0/1 is configured for VLAN 2 which is for inside, DHCP enabled on it with a range for 10.0.0.0-10.0.0.254 to be assigned to local devices.

I now want to be able to access ASA5505 from the internet (since the IP at the ASA is a public IP).

Can somebody please help me how to configure the firewall to be accessed through SSH/Telnet.

Moreover, is there anyway that I can assign port numbers to the devices connected to the ASA for the LAN and could access them from the internet using the ASA's public IP and specifying port number that could take me to the device that I have referred that port to.

Appreciate your time.

Thanks,

Pranay Prasoon · ‎12-21-2016

On ASA the ssh/telnet has to be on the interface "nameif". On the lowest security level interface on ASA, in this case "outside", you can't enable telnet but only SSH.

Command will be

ssh <IP that you need to allow to SSH> <net-mask> outside

Also for SSH generate the general usage key

abbas.haider · ‎12-21-2016

Thanks Pranay.

What if I want to access the ASA from the internet and have no specific IP to specify to enable SSH?

Since I want it to be accessible through internet so I may be coming from different IP Addresses all the time.

What do you suggest?

Thanks,

Pranay Prasoon · ‎12-21-2016

That's tricky....You will need to identify the IP address from which you will be accessing from outside. Else you will have to summarize the network.

Say you are have any idea that your IP address starts with range, 100.1.1.0/24, you can use

ssh 100.1.1.0 255.255.255.0 outside

or else you will have to use

ssh 0 0 outside/////Note with this any one can SSH from outside.Need your discretion on this.

last option:- You can use anyconnect VPN. Please see link below:-

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/118092-configure-asa-00.html

abbas.haider · ‎12-22-2016

Thanks Pranay. I guess I will use

ssh 0 0 outside/////Note with this any one can SSH from outside.Need your discretion on this.

Do you have any suggestions on making the devices that are connected in the LAN after the firewall accessible through Public IP of the Firewall and assigning them some port number and maybe access them? I am sorry I am taking your time but I am stuck in this situation.

Thanks,

Pranay Prasoon · ‎12-22-2016

yes, you can do that will port translation, but if you have no dedicated public IP address , then for specific services. For example , if you want to RDP to internal server

object network 10.1.1.1-obj

host 10.1.1.1

nat(inside,outside) static interface service tcp 3389 3389

Also need to apply access-list on outside intterface

access-list out permit tcp any host 10.1.1.1 eq 3389

access-g out in interface outside

Ajay Saini · ‎12-21-2016

Hello,

For management access (ssh,telnet,asdm), please follow below link:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/access_management.html

As already mentioned by Pranay, telnet won't work from interface with lowest security level, which would be your outside interface in this case.

Now, for the second requirement, what you need is static pat so that you can access internal servers on specific ports from outside:

You have not mentioned the ASA version. Assuming that its 8.3 onwards, below link shows an example of such requirement:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html#anc12

Let me know if you are running 8.2 version and I can provide an example for that as well.

HTH

-

AJ