Hi Julio,

This is what I thought but not 100% sure is this is the best, optimal solutions. I saw few posts where people were saying that they had a separate mgmt switch connected straight to the core and straight to the routers (bypassing both layers of the firewalls). And then they had SSH and ACL configured on the routers which was allowing just specific IP addresses to initialize the SSH connection to the  router mgmt interface.

But this solutions and bypassing all firewalls seems to be quite risky for me.

What is you opinion ?

Hi

I have a scheme like you mentioned and it is no bypassing the firewall, also I have configured an ACS, previously it was configured with RSA token. 

In my personal opinion bypass is not a good idea. You can use SSH v2, ACL and encryption, but if you can combine SSH + ACL with ACS, Tacacs or radius should be better. 

:-)

I'm going to use this solution then. Until I figure out how to allow Radius traffic on our transparent ASA I will probably use just a local admin.

Do you maybe know if I have ISR4331 with IP address to its mgmt interface which apparently it's a separate VRF will SSH response to an external call (someone on the WAN trying break in to the router) ?

Julio,

Would you know what vlan needs to be untagged on the trunk port connected to transparent ASA ?

I have ran the SSH/mgmt connection through the transparent ASA which is configured under a VLAN and one of the ASA BVI interfaces. Once ssh traffic is leaving an outside ASA interface is arriving to the trunk switchport. 

On this trunk the SSH connection is tagged under the same vlan ID as it is on the ASA but ... as we know you have to specify an utagged vlan on the trunk port and I don't have a clue what VLAN it needs to be ?

I'm thinking about just a random (fake) vlan as untagged - only because I won't be using it at all.

What you think ?

Thanks