Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
463
Views
1
Helpful
5
Replies

Accessing Cisco 9200 via SSH using Firepower 1010 in ASA mode

OGWAN
Level 1
Level 1

‎06-13-2024 02:18 PM

I have a CISCO 9200 configured with IP 192.168.1.2 on Gi1/0/48 VLAN101 and a default-gateway configured as 192.168.1.1. On my ASA I have an outside interface 10.10.10.2/29 and an inside interface configured as 192.168.1.1. I can access the switch internally, but I cannot access the switch via SSH via the Firepower 1010 configure in ASA mode. I have tried multiple ACLs, and NATs to no avail. I do not know what I am missing. Please advise. Thank you

Labels:
0 Helpful
5 Replies 5

MHM Cisco World
VIP
VIP

‎06-13-2024 02:31 PM - edited ‎06-14-2024 02:26 AM

IOS XE sometimes not use known port of ssh 22' 

So if you use ACP with port 22 then that maybe drop ssh

Try use ACP without specify port 

also you can capture traffic in FW interface see the port use by SW is it 22 or other port 

MHM

0 Helpful

johnlloyd_13
Level 9
Level 9

‎06-13-2024 07:07 PM

hi,

you'll need to configure inter-VLAN routing, identity NAT and ACL to permit SSH in your ASA. see link below.

just think of the DMZ in the example as your "outside" zone with lower security level.

https://ccnpsecuritywannabe.blogspot.com/2018/06/configuring-inter-vlan-routing-on-cisco.html

 

 

OGWAN
Level 1
Level 1
In response to johnlloyd_13

‎06-18-2024 06:15 AM

Thank you for the feedback. I tried your suggestions but I cannot still see the CISCO switch outside the ASA. Maybe I am missing a setting in the ASA? I have my Exchange and Web Servers working flawlessly but not the switch. Please advise.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎06-18-2024 10:35 PM

Ok you trying from outside to inside traffic flow.

do you have NAT in place for that outside IP ? or is this NAT excepted.

Does to 10.10.10.X network know how to reach 192.168.1.X network.

Open a Live Logs and try connecting to device and see is the IP able to pass through the firewall ?

you can also put continuous ping to switch see the Live logs on ASA to confirm is this passing traffic.

You can also look switch logs is there any request coming in, show logging or you can enable debug.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎06-19-2024 03:21 PM

I am not clear about the topology that you are using. You tell us "I cannot access the switch via SSH via the Firepower 1010 configure in ASA mode". So are you initiating SSH from a device outside and expect the ASA to forward that request to the switch? In that case we need more information about the nat configured on the ASA.

In particular we need to understand how much you are using dynamic nat and whether you are also using static nat. 

If a device inside attempts access to a resource outside, dynamic nat will create an entry that allows the response to be translated and forwarded to the inside device. But for a device outside to access a device inside it requires a static nat for the inside device.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card