Showing results for 
Search instead for 
Did you mean: 


How to connect to router with ssh from outside

I want to transfer data from data logging ( and connecting to R1 ( from the outside

this is my asa configuration.please advise.


ASA Version 9.12(2)
hostname Firewall-ASA
no mac-address auto
ip local pool L2TP-Pool
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address
interface Management0/0
nameif management
security-level 100
ip address
boot system disk0:/asa9-12-2-smp-k8.bin
ftp mode passive
object network PPTP-Router
description outsource router C892
object network DATA-logging
description access to data logging
nat (inside,outside) source static interface
object network inside-obj
object network L2TP-Subnet
access-list Filter-Route standard permit
access-list outside_access_in extended permit tcp any object PPTP-Server eq ssh
access-list outside_access_in extended permit udp any object PPTP-Server eq isakmp
access-list outside_access_in extended permit udp any object PPTP-Server eq 4500
access-list outside_access_in extended permit esp any object PPTP-Server
access-list outside_access_in extended permit ah any object PPTP-Server
access-list outside_access_in extended permit tcp any object DATA-logging eq 7788
nat (inside,outside) source static PPTP-Server PPTP-Server
nat (inside,outside) source dynamic inside-obj interface
nat (outside,inside) source static L2TP-Subnet L2TP-Subnet destination static inside-obj inside-obj no-proxy-arp
access-group outside_access_in in interface outside
route-map Filter-Route permit 10
match ip address Filter-Route
route outside 1
route inside 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
no snmp-server location
no snmp-server contact
sysopt connection tcpmss 1344
crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set mode transport
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map L2TP-MAP 10 set ikev1 transform-set L2TP-IKE1-Transform-Set
crypto map L2TP-VPN-MAP 20 ipsec-isakmp dynamic L2TP-MAP
crypto map L2TP-VPN-MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh inside
ssh timeout 30
ssh version 1 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
enable outside
max-age 31536000
no preload
no error-recovery disable
group-policy L2TP-Policy internal
group-policy L2TP-Policy attributes
dns-server value
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel-ACL
intercept-dhcp enable
dynamic-access-policy-record DfltAccessPolicy
tunnel-group DefaultRAGroup general-attributes
address-pool L2TP-Pool
default-group-policy L2TP-Policy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key ****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect pptp
inspect ipsec-pass-thru
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: encems.jpg


Hi, Could you clarify what it is you are trying to achieve?

If it is just accessing SSH on the router from outside, you could try;


object network internal router
description access to router via ssh
nat (inside,outside) source static interface service tcp 22 22

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.
Content for Community-Ad