SSH to a server between 2 private networks over internet?

CiscoBrownBelt · ‎03-27-2019

Let's say you have one network 192.168.10.0 in one location and another 192.168.10.0 in another location. See attached lab drawing (disregard the 172. and pretend it is 192.). Just how would you configure the ASAs to allow SSH from hosts on the left side 192.168 to a server on the right side 192.168 network?

Port forwarding?
Can this be done without building a VPN between the two sites?

Deepak Kumar · ‎03-27-2019

Hi,

If it is only port forwarding then it is very easy. you have unique WAN IP on both locations and While you will try to SSH to the remote site then actually you will try with another side's WAN (outside) IP so your internal system will not aware about system IP subnet. It will only communicate with your ASA's Outside (WAN) IP. So you will not face any issue.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

paul driver · ‎03-28-2019

Hello

@CiscoBrownBelt wrote:

Just how would you configure the ASAs to allow SSH from hosts on the left side 192.168 to a server on the right side 192.168 network?

Port forwarding?
Can this be done without building a VPN between the two sites?

Yes it can be buillt without a vpn, Each asa will see a request coming in from their respective natted inside/outside local/global addressing:

192.168.10.0/24 > 10.10.10.0/24 > 20.20.20.0/24 > 192.168.10.0/24
inside local inside global outside global outside local

192.168.10.0/24 < 10.10.10.0/24 < 20.20.20.0/24 < 192.168.10.0/24
outside local outside global inside global inside local

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

CiscoBrownBelt · ‎03-28-2019

But how will the ASA know which 192.168 you are trying to send data to, ping, ssh to, etc.?

Richard Burts · ‎03-28-2019

Can we clarify where the SSH request is coming from? If the SSH request is originated from a host and the target is in the same LAN (same subnet) then it is easy to see that the source arp for the destination, sends the SSH request, and it works. But if the SSH request is originated from outside then we run into a fundamental security aspect of the ASA. For an external source to originate traffic to a resource on an inside interface the ASA must have a static nat configured. Once the ASA has the static nat then the source device must use the public IP used by the ASA for the translation.

HTH

Rick

HTH

Rick

Richard Burts · ‎03-28-2019

Let me try a slightly different way to address this part of the question

"But how will the ASA know which 192.168 you are trying to send data to, ping, ssh to"

If there is any request (ping, ssh, etc) to a 192.168 address it will inherently go to the local subnet. If you want to originate ping, ssh, etc to the remote 192.168 then you must know and must use the public IP that the remote ASA used in its static nat configuration.

HTH

Rick

HTH

Rick

CiscoBrownBelt · ‎03-28-2019

Thanks! I am not sure if I understand. So if I let's say use the public external IP of the remote ASA for my ping, how do I specify I want to reach the 192.168 host behind that FW?

Richard Burts · ‎03-28-2019

It depends on how the ASA was configured for the address translation. The ASA could be set up to do a simple IP to IP translation (anything received for public IP A is translated into private IP B). In which case you probably did not want to use the ASA public interface IP as the translate. Or it could have been set up for port forwarding (anything received for public IP A port tcp 22 is translated to private IP B tcp 22).

Most of us are more used to thinking about address translation for outgoing traffic. In that case many inside addresses can be translated using a single public IP (like the ASA outside interface IP) and it is a dynamic translation. But translation for incoming traffic is different. If an external source is to originate traffic to an internal private address then there needs to be a one to one translation and it is a static translation.

Perhaps it might help to think about how the translation table for the ASA works. If an inside host initiates traffic to some destination outside, then the ASA dynamic translation creates an entry in the translate table that private IP B uses public IP A port X. Then when the outside device sends traffic to the ASA for public IP A port X the ASA knows which private address to use. But if a host in the left LAN wants to initiate SSH to a host in the right LAN its packet will get to the right ASA and it will look into its translate table for what private address to use. The only way it will find an entry is if the ASA has a static translation for that right side host.

HTH

Rick

HTH

Rick

CiscoBrownBelt · ‎03-28-2019

Awesome Richard! So basically one I configure the ASA or whatever device for natting and port-forwarding, to SSH to a device on the right side LAN I would just enter the public IP:port# that is configured for forwarding for the remote host correct? Same if I had to access the URL of remote host on right side LAN from left side (public ip address of ASA:port#)?

Richard Burts · ‎03-28-2019

Mostly right. I want to be very careful about this part of what you said

"public ip address of ASA:port#"

It is a public IP address used by the ASA. But it is probably not the address of the ASA interface. I tried to clarify this point when I talked about differences between dynamic translation (which typically does use the ASA interface address) and static translation (which typically uses a public IP for each inside host who needs to be accessed from outside - and typically does not use the ASA interface address).

HTH

Rick

HTH

Rick