06-15-2017 08:01 AM - edited 03-08-2019 10:59 AM
Hi All,
Can anyone advise what is the best and most secure way of setting up a remote (SSH) connection to an edge router from the LAN with having dual firewalls in the way (Checkpoint and ASA) ?
RT1 --- RT2
| |
SW1 SW2
| |
ASA1 --- ASA2
| |
SW3 SW4
| |
CHK1 --- CHK2
| |
| |
core1 --- core2
From what I can understand the ssh connection should bypass the firewalls so..
I'm thinking about having a dedicated interface on the checkpoint ClusterXL and have a vlan stretched up to the edge routers.
Then 4331 vrf mgmt will have an IP assigned to it and I will be able to open the SSH connection from the LAN via above mentioned vlan.
Does this sound right ?
Thank you in advance ?
06-15-2017 08:32 AM
Hi
I think you could configure SSH ver 2, with ACL to allow the authorized users and you could configure Tacacs or Radius. I think bypass the firewalls is not required.
06-16-2017 07:01 AM
Hi Julio,
This is what I thought but not 100% sure is this is the best, optimal solutions. I saw few posts where people were saying that they had a separate mgmt switch connected straight to the core and straight to the routers (bypassing both layers of the firewalls). And then they had SSH and ACL configured on the routers which was allowing just specific IP addresses to initialize the SSH connection to the router mgmt interface.
But this solutions and bypassing all firewalls seems to be quite risky for me.
What is you opinion ?
06-16-2017 07:44 AM
Hi
I have a scheme like you mentioned and it is no bypassing the firewall, also I have configured an ACS, previously it was configured with RSA token.
In my personal opinion bypass is not a good idea. You can use SSH v2, ACL and encryption, but if you can combine SSH + ACL with ACS, Tacacs or radius should be better.
:-)
06-19-2017 01:23 AM
I'm going to use this solution then. Until I figure out how to allow Radius traffic on our transparent ASA I will probably use just a local admin.
Do you maybe know if I have ISR4331 with IP address to its mgmt interface which apparently it's a separate VRF will SSH response to an external call (someone on the WAN trying break in to the router) ?
07-06-2017 01:18 AM
Julio,
Would you know what vlan needs to be untagged on the trunk port connected to transparent ASA ?
I have ran the SSH/mgmt connection through the transparent ASA which is configured under a VLAN and one of the ASA BVI interfaces. Once ssh traffic is leaving an outside ASA interface is arriving to the trunk switchport.
On this trunk the SSH connection is tagged under the same vlan ID as it is on the ASA but ... as we know you have to specify an utagged vlan on the trunk port and I don't have a clue what VLAN it needs to be ?
I'm thinking about just a random (fake) vlan as untagged - only because I won't be using it at all.
What you think ?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide