Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
412
Views
0
Helpful
3
Replies

Multiple WAN SSH access on ASA5512X

Nicholas Richardson
Level 1
Level 1

‎12-03-2015 05:54 AM

Hello,

Hopefully someone can explain this behaviour, its not what I'm expecting.

On our ASA5512 version 9.5(14), we have 3 ISPS, and 3 default routes, first a fibre link, second an ADSL, third a satellite link

route ISP1 0.0.0.0 0.0.0.0 1.1.1.1 1 track 1
route ISP2 0.0.0.0 0.0.0.0 2.2.2.2 10 track 2
route ISP3 0.0.0.0 0.0.0.0 3.3.3.3 20

These are the only routes.

We've configure access (ASDM,SSH) on each interface:

ssh 5.4.3.2 255.255.255.255 ISP1

ssh 5.4.3.2 255.255.255.255 ISP2

ssh 5.4.3.2 255.255.255.255 ISP3

We can access via SSH on all three interfaces, despite, the primary default-route (and no other routes) still being in place.  I always understood we must have a static route out ISP2 and ISP3 to a management IP, otherwise traffic comes in ISP2 and out ISP1.  But it doesn't.  It just works, its almost as if the SSH and ASDM commands are a "route" command themselves (no next hop of course).  Its very strange how to explain it?

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎12-03-2015 06:41 AM

When you ssh into you ASA, a connection is build for that ssh-session. This connection can be seen  with "show conn all" like on this ASA where I connect from 192.0.2.1 to both outside interfaces of the ASA:

ASA-HQ# sh conn all address 192.0.2.1
912 in use, 8501 most used
TCP outside1 192.0.2.1:60718 NP Identity Ifc 198.51.100.1:22, idle 0:00:00, bytes 13683, flags UOB
TCP outside2 192.0.2.1:60716 NP Identity Ifc 203.0.113.0:22, idle 0:00:28, bytes 3411, flags UOB

The connection is aware of the interface the session is terminated on and can reply back on the same interface.

Same will work for access to internal servers. In my ASA the active default-route points to outside1, but I still can reach my internal mailserver through outside2 with the corresponding NAT-entry.

0 Helpful

Nicholas Richardson
Level 1
Level 1
In response to Karsten Iwen

‎12-03-2015 06:58 AM

Thanks for reply - I'm confused to the order of operations, I understand it knows what interface the connection was built on, but not how it knows to route the traffic - where does the route lookup happen?  In the routing table there is no route, this is what confuses me, how does it know to route the traffic to the next-hop?

thanks

Nicholas

0 Helpful

Karsten Iwen
VIP
VIP
In response to Nicholas Richardson

‎12-03-2015 08:04 AM

Finding the interface is not only done through routing on the ASA. Also NAT can do this. The next-hop is then taken from a configured route. Although I'm not aware of any documentation of this behavior for traffic terminated on the ASA, I was told by a Cisco engineer that it's the same mechanism that handles this.

0 Helpful
Customers Also Viewed These Support Documents