How to access ASA 5500 via SSH from internet to inside interface

parthiban chinnaya · ‎03-10-2011

Hi,

Network scenario

site 1 ----->administrator------->Lan--------------->Wan Router----------------------------------------------------->Site 2---Wan Router---------->ASA5500--------->Lan -----------Users.

administrator wants to manage ASA 5500 using inside interface.{telnet or ssh].

Allowed telnet and ssh in ASA 5500 but unable to get access from administrator PC....

Is there a way to do it without enabling NAT on the ASA?

Will a specific rule on ASA allow adminstrator to access ASA 5500 inside interface via ssh or telnet?

Federico Coto Fajardo · ‎03-10-2011

Hi,

There's no way to access the ASA inside interface from the outside unless having a VPN tunnel that terminates on the ASA itself.

If you have a VPN tunnel terminating on the inside and enabling the command management-access inside, then you can SSH/telnet to the ASA's inside IP from the outside.

Hope it helps.

Federico.

bassono_t · ‎03-11-2011

Hi there,

Is there a reason u want access originating from outside to go straight to the inside IP. By nature, ASA wouldn't allow a connexion from outside interface to terminate on an inside IP as if the traffic originated from the inside (That's nothing else than spoofing in a firewall perspective).

Here is what u can do:

1) The simplest way to go by this is to allow ssh access to the outside IP by configuring and ACL permitting the originating IP and apply it outbound on the outside.

2) Else you can first ssh or telnet in a device on the inside and from that device you ssh or telnet back to the inside IP of ur ASA. In that case that inside device becomes the originator of ur ssh/telnet session

3)Finally u can to a remonte connexion (RDC) to an inside host and from that host u then ssh to ur firewall inside IP.

HTH