cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2514
Views
0
Helpful
26
Replies

SSH to an internal Router through 5508-X GE02

fbeye
Level 4
Level 4

Hello

 

I was both curious for the sake of knowledge but also because I have no available Interfaces to connect my 891f to to SSH into from the Internet.

 

The GE Interface on my 5508-X is 192.168.1.1 and is enabled for ASDM connectivity.

I connected it to an 891f and from the 891f I can ping the 192.168.1.1 on the 5508, I can ping 192.168.1.2 (891f WAN), 192.168.8.1 (Vlan Interface) and 192.168.8.2 (Laptop connected to FE0 on the 891. The Laptop can also ping to the 891 as well as the GE02 on the 5508.

 

Long story short is the routes and connectivity seems correct but I am having troubling pinging the Internet. Is the GE2 (ASDM) straight up incapable of seeing the Internet for security reasons or am I just not allowing it correctly .Essentially I want to connect to the 891f Route SSH (192.168.1.2) through my 5508-X WAN.

2 Accepted Solutions

Accepted Solutions

Hi,

 

Do you define management-only under interface 1/2 ? If yes then this interface cannot be use for data traffic. If you want this to enable for data + management then remove management-only command form e1/2. 

 

For SSH, i make it with port 20000 for ssh from outside so you will connect not on port 22 but on 2000

 

object network obj_192.168.1.2
host 192.168.1.2
nat (inside,outside) static interface service tcp ssh 20000

  Further, you need to allow it on access-list also

 

hostname(config)# access-list OUTSIDE extended permit tcp any host 192.168.1.2 eq 20000
hostname(config)# access-group OUTSIDE in interface outside

View solution in original post

Hi

 

You are correct with first statement that below will allow you to have internet access from inside subnet mapped to outside interface address but for incomming ssh traffic, permitting access-list will not be enough as access-list will just allow the traffic to reach Outside interface on port 2000, but to translate this address to internal address, NAT entry is required

 

--to allow internet from inside to outside with translation to outside interface IP Address

object network INSIDE_NETWORK
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface

 

--To allow SSH from outside

object network obj_192.168.1.2
host 192.168.1.2
nat (inside,outside) static interface service tcp ssh 2000

 

 

and yes you are spot on here in this statement/ "Am I safe to say that I need the second entry for NAT to actually tell incoming ssh connections to go to 192.168.1.2 whereas the access-list is the actual permission and that the first NAT simply allows the subnet of 192.168.1.0 access to the outside (internet).

View solution in original post

26 Replies 26

Muhammad Awais Khan
Cisco Employee
Cisco Employee

Hi,

 

For ICMP/ping from insside to internet, you have to allow ICMP traffic from outside interface. I beleive your internet is working fine right and you just cannot ping the Internet ?

 

ASA default behavior is to allow traffic from High security level interface like inside ( security level = 100 by default ) to low security level interface like outside ( security-level = 0 by default ) By default, ICMP traffic is not inspected and its session details will not kept. On contrast, ASA is inspecting HTTP traffic which allow traffic from inside to outside and return traffic from outside to inside ( same connection traffic )

 

Since ICMP is not inspected, its return traffic is not allowed, we can configure an access-list and applied to outside interface.

 

hostname(config)# access-list OUTSIDE extended permit icmp any any echo-reply
hostname(config)# access-group OUTSIDE in interface outside

 

For SSH, you want to allow SSH form ASA outside ( public IP ? )  to inside Router right ?

 

 

Well I am sort of not sure how to explain this. The 5508-X has GE1/1 - GE1/8.

 

1/1 Is my WAN

1/2 Is my ASDM /Management (192.168.1.1)

1/3 Is my 192.168.2.1

1/4 Is my 192.168.3.1

x.x.4.1

x.x.5.1 And so on.

 

I have GE 1/2 (192.168.1.1) connected to an 891f (192.168.1.2) as it’s Gateway.

I want to be able to remotely connect to my 891f using SSH from the outside world. 
Every other interface on my 5508 has Internet access but for some reason GE1/2 won’t allow it. Is this because it’s dedicated to ASDM:Management and Internet isn’t permitted on that interface or am I doing something wrong. 

 

Hi,

 

Do you define management-only under interface 1/2 ? If yes then this interface cannot be use for data traffic. If you want this to enable for data + management then remove management-only command form e1/2. 

 

For SSH, i make it with port 20000 for ssh from outside so you will connect not on port 22 but on 2000

 

object network obj_192.168.1.2
host 192.168.1.2
nat (inside,outside) static interface service tcp ssh 20000

  Further, you need to allow it on access-list also

 

hostname(config)# access-list OUTSIDE extended permit tcp any host 192.168.1.2 eq 20000
hostname(config)# access-group OUTSIDE in interface outside

Awesome. Makes perfect sense. I had just assumed that being I can access the 5508-X IP itself via ssh that I would be able to access a Router on the (inside) Interface as I thought it was a subnet of the 5508/Gateway IP but I see what you mean that being a Management Port disabling Internet Access.

 

i will have to rearrange my interfaces and free up possibly GE08 and do as you said with that interface:

 

thank you 

Hi,

 

Yes if a port has management-only keyword then it will disable the internet access. Otherwise, just remove the management -only key word.

 

After that you can still access the interface for management + data will work

That makes complete sense but upon looking at my config it still eludes me.

 

You are correct... There is a Management 1/1 Interface (For Firepower or so the manual says) and there is the Gigabitethernet 1/2 that is dedicated to the ‘inside’ as well as the ASDM via 192.168.1.1 but I do not see “management-only” for that specific port.

names

!
interface GigabitEthernet1/1
 description WAN
 nameif outside
 security-level 0
 pppoe client vpdn group pppoewan
 ip address pppoe setroute 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface GigabitEthernet1/3
 description TPLink
 nameif tplink
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface GigabitEthernet1/4
 description mail
 nameif mail
 security-level 100
 ip address 192.168.3.1 255.255.255.0 
!
interface GigabitEthernet1/5
 description fhc
 nameif fhc
 security-level 100
 ip address 192.168.4.1 255.255.255.0 
!
interface GigabitEthernet1/6
 description vpn
 nameif vpn
 security-level 100
 ip address 192.168.5.1 255.255.255.0 
!
interface GigabitEthernet1/7
 description Open
 nameif Open
 security-level 90
 ip address 10.0.1.115 255.255.255.0 
!
interface GigabitEthernet1/8
 description NAS
 nameif NAS
 security-level 90
 ip address 10.0.2.115 255.255.255.0 
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address

 

all looks good here, can you share youR complete configuration if possible ? i want to see NAT includes your this interface or not. Otherwise all looks good to make Internet work on this Inside segment

Hello. I sure can.... Now mind you I was under the idea that a security level 100 could access (internet) on security level 0 so i have made no permissions.

 

: Serial Number: JAD192402FY
: Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cor es)
:
ASA Version 9.6(2)2
!
hostname ciscoasa
enable password $sha512$5000$VxGVpbbYO1zrechJNeV1wg==$GTQ23G8/TbyeZGPCsWdOjA== p bkdf2
names
ip local pool VPNPool 10.0.3.101-10.0.3.105 mask 255.255.255.0

!
interface GigabitEthernet1/1
description WAN
nameif outside
security-level 0
pppoe client vpdn group pppoewan
ip address pppoe setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
description TPLink
nameif tplink
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/4
description mail
nameif mail
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet1/5
description fhc
nameif fhc
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface GigabitEthernet1/6
description vpn
nameif vpn
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface GigabitEthernet1/7
description Open
nameif Open
security-level 90
ip address 10.0.1.115 255.255.255.0
!
interface GigabitEthernet1/8
description NAS
nameif NAS
security-level 90
ip address 10.0.2.115 255.255.255.0
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup tplink
dns domain-lookup mail
dns domain-lookup fhc
dns domain-lookup vpn
dns domain-lookup Open
dns domain-lookup NAS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network TPLink
host 192.168.2.177
description TPLink
object network mail
host 192.168.3.180
description mail
object network fhc
host 192.168.4.181
description fhc
object network dlink
host 192.168.5.178
description dlink
object-group network DM_INLINE_NETWORK_1
network-object host x.x.x.180
network-object object mail
object-group service imapssl tcp
description imapssl
port-object eq 993
object-group network DM_INLINE_NETWORK_4
network-object host x.x.x.180
network-object object mail
object-group network DM_INLINE_NETWORK_2
network-object host 2x.x.x.180
network-object object mail
object-group network DM_INLINE_NETWORK_3
network-object host x.x.x.180
network-object object mail
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service smtpd tcp
description smtpd
port-object eq 587
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq smtp
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 object-group imapssl
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_3 eq ssh
access-list SPLIT_TUNNEL standard permit 10.0.2.0 255.255.255.0
access-list vpn_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu tplink 1500
mtu mail 1500
mtu fhc 1500
mtu vpn 1500
mtu Open 1500
mtu NAS 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network TPLink
nat (any,any) static x.x.x.177
object network mail
nat (any,any) static x.x.x.180
object network fhc
nat (any,any) static x.x.x.181
object network dlink
nat (any,any) static x.x.x.178
access-group outside_access_in in interface outside
access-group vpn_access_in in interface vpn
route outside 0.0.0.0 0.0.0.0 x.x.x.182 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 18dad19e267de8bb4a2158cdcc6b3b4a
308204d3 308203bb a0030201 02021018 dad19e26 7de8bb4a 2158cdcc 6b3b4a30
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d30
36313130 38303030 3030305a 170d3336 30373136 32333539 35395a30 81ca310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313a30 38060355 040b1331 28632920 32303036 20566572 69536967
6e2c2049 6e632e20 2d20466f 72206175 74686f72 697a6564 20757365 206f6e6c
79314530 43060355 0403133c 56657269 5369676e 20436c61 73732033 20507562
6c696320 5072696d 61727920 43657274 69666963 6174696f 6e204175 74686f72
69747920 2d204735 30820122 300d0609 2a864886 f70d0101 01050003 82010f00
3082010a 02820101 00af2408 08297a35 9e600caa e74b3b4e dc7cbc3c 451cbb2b
e0fe2902 f95708a3 64851527 f5f1adc8 31895d22 e82aaaa6 42b38ff8 b955b7b1
b74bb3fe 8f7e0757 ecef43db 66621561 cf600da4 d8def8e0 c362083d 5413eb49
ca595485 26e52b8f 1b9febf5 a191c233 49d84363 6a524bd2 8fe87051 4dd18969
7bc770f6 b3dc1274 db7b5d4b 56d396bf 1577a1b0 f4a225f2 af1c9267 18e5f406
04ef90b9 e400e4dd 3ab519ff 02baf43c eee08beb 378becf4 d7acf2f6 f03dafdd
75913319 1d1c40cb 74241921 93d914fe ac2a52c7 8fd50449 e48d6347 883c6983
cbfe47bd 2b7e4fc5 95ae0e9d d4d143c0 6773e314 087ee53f 9f73b833 0acf5d3f
3487968a ee53e825 15020301 0001a381 b23081af 300f0603 551d1301 01ff0405
30030101 ff300e06 03551d0f 0101ff04 04030201 06306d06 082b0601 05050701
0c046130 5fa15da0 5b305930 57305516 09696d61 67652f67 69663021 301f3007
06052b0e 03021a04 148fe5d3 1a86ac8d 8e6bc3cf 806ad448 182c7b19 2e302516
23687474 703a2f2f 6c6f676f 2e766572 69736967 6e2e636f 6d2f7673 6c6f676f
2e676966 301d0603 551d0e04 1604147f d365a7c2 ddecbbf0 3009f343 39fa02af
33313330 0d06092a 864886f7 0d010105 05000382 01010093 244a305f 62cfd81a
982f3dea dc992dbd 77f6a579 2238ecc4 a7a07812 ad620e45 7064c5e7 97662d98
097e5faf d6cc2865 f201aa08 1a47def9 f97c925a 0869200d d93e6d6e 3c0d6ed8
e6069140 18b9f8c1 eddfdb41 aae09620 c9cd6415 3881c994 eea28429 0b136f8e
db0cdd25 02dba48b 1944d241 7a05694a 584f60ca 7e826a0b 02aa2517 39b5db7f
e784652a 958abd86 de5e8116 832d10cc defda882 2a6d281f 0d0bc4e5 e71a2619
e1f4116f 10b595fc e7420532 dbce9d51 5e28b69e 85d35bef a57d4540 728eb70e
6b0e06fb 33354871 b89d278b c4655f0d 86769c44 7af6955c f65d3208 33a454b6
183f685c f2424a85 3854835f d1e82cf2 ac11d6a8 ed636a
quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group pppoewan request dialout pppoe
vpdn group pppoewan localname xxxxx
vpdn group pppoewan ppp authentication chap
vpdn username xxxxx password *****

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.4.04030-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_HomeVPN internal
group-policy GroupPolicy_HomeVPN attributes
wins-server none
dns-server value 205.171.3.65
vpn-tunnel-protocol ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
default-domain none
dynamic-access-policy-record DfltAccessPolicy
username CiscoVPN password J7YMLltuBD0Gdxvn encrypted
tunnel-group HomeVPN type remote-access
tunnel-group HomeVPN general-attributes
address-pool VPNPool
default-group-policy GroupPolicy_HomeVPN
tunnel-group HomeVPN webvpn-attributes
group-alias HomeVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:99b0b7a7461ef0ba2115f4349d774dcb
: end

Hi,

 

I have not seen any NAT Entry defined for NAT Inside network ?

 

You need to add below to allow Internet from Inside network

 

object-group network INSIDE_NETWORK
subnet 192.168.1.0 255.255.255.0

nat (inside,WAN) dynamic interface

Good Morning

 

i won’t say “I knew that” or else I would have done it but I had thought that the interfaces default would go into the world. I had used nat with my static ips  and foolishly overlooked the concept of any network needing nat.

i will add that when I get home and let you know.

 

thank you 

Is it possible to change the Port 22 to 20000 on the ASA?

Hi,

 

we can do port translation at ASA in a way that some one can connect from outside to ASA public IP on port 20000 for ssh and ASA will translate it to Router IP with port 22. 

 

Advantage of doing it to save public ip address space without requiring to have 1:1 nat for some services

Ohh I see what you mean. Not literally changing it. Using NAT to redirect it. Thank you.

 

With your instruction I got everything working the way I had wanted. Now I won’t like I am a big ASDM user and I did all of these changes in the CLI. I happened to go back into the ASDM and all of my current/prior ACL’s have been erased automatically just by inputting the new ones. I didn’t save it and reloaded the 5508. All my original settings were there and thought maybe a glitch. I did the config in CLI again and it erased my original ACL. Am I missing anything ? With the running-config I showed you how would what you told me to iniut erase anything? 

Hi,

 

most likely you are overwriting your existing ACL's which you defined in ASDM. It seems you already configured some ACL's and you want to add on to existing. You can take help from ASDM to avoid overwriting.

 

From CLI, if you want to avoid overwrite, then you can do that by:

 

Adding the ACL entries using line numbers and make sure it is not matching existing line numbers. You can verify existing ACL line numbers by issuing command "show access-list"

 

one you identify your last line number then you can add ACL by:

 

access-list 100 line 3 permit tcp any any eq 83 

 

once done verify your ACL config by "show running-config Access-list.

 

By default, ACL entries should be appended to the existing ACL configuration on the last lines but not sure why it is happening with you. with above steps, you will be fine.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: