Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
813
Views
0
Helpful
0
Comments

Error SSH enabling batch

Brand4480
Level 1
Level 1

on ‎05-24-2020 06:52 PM

Re: Unable to SSH

Diane,

     The difference you are seeing is that an ASA is a firewall first and a VPN product second.  The VPN Concentrators just did VPN and didn't concern themselves with routing, switching, or firewalls.  By many peoples estimation this is not a good thing because in increased the attack surface of the ASA.  However, Cisco allowed management of the ASA you are on by doing a hairpin reverse tunnel back to the ASA for management. This doesn't scale well to other ASA's and really wasn't intended to do so.  From a security point of view the best solution is a managment server.

    To setup the management server, you just need a Windows/Linux/Apple (whatever you're comfortable with) machine, configured to allow remote sessions.  You can do this in the Windows platform with the Remote Desktop or VNC, if you use Linux or Apple, the both have solutions.  Once you have your platform, just install a Terminal emulator like PuTTY or SecureCRT and you'll have access to your systems.  If you are using the ADSM to configure your ASA you'll just need a compatible web browser on the management server and then open a connection to your ASAs.

    Doing this method gives you the following:

       1.) Limited access since a person will need to have an account on the management server to access the admin tools.

       2.) Accountability since your event logs on the management server will show who logged in and when.  You can even go so far as to setup process controls on what a person can access.

       3.) Limits hacking surface.  Once you have configured your management workstation, configure an ACL on your ASAs that limit any SSH, HTTPS, etc connection to the managment workstation.  With this done, you need only worry about who has access to that workstation.

 

     Hope this helps.  I didn't want to flood you, but wanted to give you the reason behind going this route over the method employed by the VPN Concentrators.  Let me know if you have further questions.

 

 

Vtp mode client

vtp domain

switchport mode trunk

switchport trunk allowed vlan

ip dhcp excluded adress (gateway)

ip dhcp pool vlan 31

default-router 192.168.31.1

network 192.168.31.0 255.255.255.0

 

interface
no shut
int fa0/0.31
encapsulation dot1q 31
ip add 192.168.31.1 255.255.255.0
no shut

 

========================================================================
hostname CR01
!
!
!
enable secret 5 $1$mERr$qks.ziZQfY6v/mIalE3YO0
!
!
ip dhcp excluded-address 172.17.0.1 172.17.100.0
ip dhcp excluded-address 172.18.0.1 172.18.100.0
ip dhcp excluded-address 172.19.0.1 172.19.100.0
ip dhcp excluded-address 172.31.0.1 172.31.100.0
!
ip dhcp pool STUDENTEN
network 172.17.0.0 255.255.0.0
default-router 172.17.0.1
ip dhcp pool DOCENTEN
network 172.18.0.0 255.255.0.0
default-router 172.18.0.1
ip dhcp pool TOETSING
network 172.20.0.0 255.255.0.0
default-router 172.20.0.1
ip dhcp pool MANAGEMENT
network 172.31.0.0 255.255.0.0
default-router 172.31.0.1
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp key PRESTINA address 120.0.0.10
!
!
!
crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
!
crypto map VPN-MAP 10 ipsec-isakmp
set peer 120.0.0.10
set transform-set VPN-SET
match address 110
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/0.16
encapsulation dot1Q 16
ip address 172.16.0.1 255.255.0.0
ip nat inside
!
interface FastEthernet0/0.17
encapsulation dot1Q 17
ip address 172.17.0.1 255.255.0.0
ip nat inside
!
interface FastEthernet0/0.18
encapsulation dot1Q 18
ip address 172.18.0.1 255.255.0.0
ip nat inside
!
interface FastEthernet0/0.19
encapsulation dot1Q 19
ip address 172.19.0.1 255.255.0.0
ip nat inside
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 172.20.0.1 255.255.0.0
ip nat inside
!
interface FastEthernet0/0.31
encapsulation dot1Q 31
ip address 172.31.0.1 255.255.0.0
ip nat inside
!
interface FastEthernet0/1
ip address 100.0.0.10 255.0.0.0
ip nat outside
duplex auto
speed auto
crypto map VPN-MAP
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 101 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 100.0.0.1
!
ip flow-export version 9
!
!
access-list 101 permit ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 255.0.0.0 0.255.255.255
access-list 110 permit ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255
!
!
!
!
!
!
line con 0
password console
login
!
line aux 0
!
line vty 0 4
password telnet
login
!
!
!
end

 

===============================================================================================================================================================================================================================================================================================================================================================================================

hostname CR02
!
!
!
enable secret 5 $1$mERr$qks.ziZQfY6v/mIalE3YO0
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp key PRESTINA address 100.0.0.10
!
!
!
crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
!
crypto map VPN-MAP 10 ipsec-isakmp
set peer 100.0.0.10
set transform-set VPN-SET
match address 110
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.0.1 255.255.0.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/0.16
encapsulation dot1Q 16
ip address 10.16.0.1 255.255.0.0
ip helper-address 10.16.50.1
!
interface FastEthernet0/0.17
encapsulation dot1Q 17
ip address 10.17.0.1 255.255.0.0
ip helper-address 10.16.50.1
!
interface FastEthernet0/0.18
encapsulation dot1Q 18
ip address 10.18.0.1 255.255.0.0
ip helper-address 10.16.50.1
!
interface FastEthernet0/0.19
encapsulation dot1Q 19
ip address 10.19.0.1 255.255.0.0
ip helper-address 10.16.50.1
!
interface FastEthernet0/0.31
encapsulation dot1Q 31
ip address 10.31.0.1 255.255.0.0
ip helper-address 10.16.50.1
!
interface FastEthernet0/1
ip address 120.0.0.10 255.0.0.0
ip nat outside
duplex auto
speed auto
crypto map VPN-MAP
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 101 interface FastEthernet0/1 overload
ip classless
ip route 10.16.0.0 255.240.0.0 10.10.0.2
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
ip flow-export version 9
!
!
access-list 110 permit ip 10.10.0.0 0.0.255.255 172.13.0.0 0.0.255.255
access-list 110 permit ip 10.16.0.0 0.15.255.255 172.31.0.0 0.0.255.255
access-list 110 permit ip 10.31.0.0 0.0.255.255 172.16.0.0 0.15.255.255
access-list 110 permit ip host 10.16.50.1 host 172.16.50.1
access-list 110 permit ip host 10.19.50.1 host 172.19.50.1
access-list 101 deny ip 10.10.0.0 0.0.255.255 172.31.0.0 0.0.255.255
access-list 101 deny ip 10.16.0.0 0.0.255.255 172.31.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 172.16.0.0 0.15.255.255
access-list 101 deny ip host 10.16.50.1 host 172.16.50.1
access-list 101 deny ip 10.19.0.0 0.0.255.255 any
access-list 101 deny ip 10.10.0.0 0.0.255.255 any
access-list 101 deny ip 10.16.0.0 0.15.255.255 any
!
!
!
!
!
!
line con 0
password console
login
!
line aux 0
!
line vty 0 4
password telnet
login
!
!
!
end

 

================================================================================================================================================================================================================================================================================================

================================================================================================

=="..." betekent verzin zelf iets==
==*...* morgen==


//////////////////////
Belangrijke commandos
show vlan brief
traceroute
ping
ip helper-adress
\\\\\\\\\\\\\\\\\\\\\\\
=============================
==CR01==
--Access-lists--
access-list 110 permit ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255
---------------------
--NAT Access-list--
access-list 101 deny ip 172.16.0.0 0.15.255.255 255.10.0.0 0.255.255.255
access-list 101 permit ip 172.16.0.0 0.15.255.255 any

ip nat inside source list 101 interface fastethernet0/1 overload
----------------------
--VPN--
crypto isakmp policy 10
encr aes
authentication pre-share
group 2

crypto isakmp key PRESTINA address 120.0.0.10

crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac

crypto map VPN-MAP 10 ipsec-isakmp
set peer 120.0.0.10
set transform-set VPN-SET
match address 110

interface FastEthernet0/1
crypto map VPN-MAP
---------------------------
=============================
==CR02==
--Access lists--

access-list 110 permit ip 10.10.0.0 0.0.255.255 172.13.0.0 0.0.255.255
access-list 110 permit ip 10.16.0.0 0.15.255.255 172.31.0.0 0.0.255.255
access-list 110 permit ip 10.31.0.0 0.0.255.255 172.16.0.0 0.15.255.255
access-list 110 permit ip host 10.16.50.1 host 172.16.50.1
access-list 110 permit ip host 10.19.50.1 host 172.19.50.1
--------------------------------------
-NAT accesslist-
access-list 101 deny ip 10.10.0.0 0.0.255.255 172.31.0.0 0.0.255.255
access-list 101 deny ip 10.16.0.0 0.0.255.255 172.31.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 172.16.0.0 0.15.255.255
access-list 101 deny ip host 10.16.50.1 host 172.16.50.1
access-list 101 deny ip 10.19.0.0 0.0.255.255 any
access-list 101 deny ip 10.10.0.0 0.0.255.255 any
access-list 101 deny ip 10.16.0.0 0.15.255.255 any

ip nat inside source list 101 interface fastethernet0/1 overload
--------------------------------------
--Interfaces--

interface FastEthernet0/0
ip address 10.10.0.1 255.255.0.0
ip nat inside

interface FastEthernet0/1
ip address 120.0.0.10 255.0.0.0
ip nat inside

interface fa0/0.16
encapsulation dot1q 16
ip address 10.16.0.1 255.255.0.0
ip helper-address 10.16.50.1

interface fa0/0.17
encapsulation dot1q 17
ip address 10.17.0.1 255.255.0.0
ip helper-address 10.16.50.1

interface fa0/0.18
encapsulation dot1q 18
ip address 10.18.0.1 255.255.0.0
ip helper-address 10.16.50.1

interface fa0/0.19
encapsulation dot1q 19
ip address 10.19.0.1 255.255.0.0
ip helper-address 10.16.50.1

interface fa0/0.31
encapsulation dot1q 31
ip address 10.31.0.1 255.255.0.0
ip helper-address 10.16.50.1
--------------------------------------
-VPN-
crypto isakmp policy 10
encr aes
authentication pre-share
group 2

crypto isakmp key PRESTINA address 100.0.0.10

crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac

crypto map VPN-MAP 10 ipsec-isakmp
set peer 100.0.0.10
set transform-set VPN-SET
match address 110

interface FastEthernet0/1
crypto map VPN-MAP
--------------------------------------
--Routing--
ip route 10.16.0.0 255.240.0.0 10.10.0.2
ip route 0.0.0.0 0.0.0.0 Fastethernet0/1
--------------------------------------
=======================================
==DS02==
--VTP--
vtp domain PRESTINA-2
vtp mode Server
--------------------------------------
--VLAN--
vlan 16
name Algemeen

vlan 17
name Studenten

vlan 18
name Docenten

vlan 19
name Toetsing

vlan 20
name Printers

vlan 31
name Beheer

vlan 88
name Black_Hole

vlan 99
name Native
---------------------------------
--Interfaces--
interface range fa0/1-6
switchport mode access
switchport access vlan 16

interface range fa0/7-8
switchport mode access
switchport access vlan 17

interface range fa0/9-10
switchport mode access
switchport access vlan 18

interface range fa0/11-12
switchport mode access
switchport access vlan 19

interface range fa0/13-14
switchport mode access
switchport access vlan 20

interface range fa0/15-16
switchport mode access
switchport access vlan 31

interface range fa0/17-23
switchport mode access
switchport access vlan 88
shutdown

interface fa0/24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 17-18,20,31

interface g0/1
no switchport
ip address 10.10.0.2 255.255.0.0

interface g0/2
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 19,31

interface vlan16
ip address 10.16.0.1 255.255.0.0

interface vlan17
ip address 10.17.0.1 255.255.0.0
ip helper-address 10.16.50.1

interface vlan18
ip address 10.18.0.1 255.255.0.0
ip helper-address 10.16.50.1

interface vlan19
ip address 10.19.0.1 255.255.0.0

interface vlan20
ip address 10.20.0.1 255.255.0.0

interface vlan31
ip address 10.31.0.1 255.255.0.0
ip helper-address 10.16.50.1
---------------------------------
--Routing--
ip route 0.0.0.0 0.0.0.0 10.10.0.1
----------------------------------
--Access-lists--
"access-list 117 remark 1: Permit dhcp request deny access to vlan 18 & 19 permit further traffic from vlan 17"
access-list 117 permit udp any any eq bootps
access-list 117 deny ip 10.17.0.0 0.0.255.255 10.18.0.0 0.0.255.255
"access-list 117 remark 2: Deny Student verkeer naar Docenten verkeer"
access-list 117 deny ip 10.17.0.0 0.0.255.255 10.1.0.0 0.0.255.255
"access-list 117 remark 3: Permit overig verkeer vanag vlan 17"
access-list 117 permit ip 10.17.0.0 0.0.255.255 any

interface vlan 17
ip access-group 117 in

* access-list 119 *

------------------------------------
====================================
==AS01==
--VTP--
vtp mode Client
------------------------------------
--Default gateway--
ip default-gateway 10.31.0.1
------------------------------------
--Interfaces--
int range fa0/1-16
switchport mode access
switchport access vlan 17

int range fa0/17-18
switchport mode access
switchport access vlan 18

int range fa0/19-20
switchport mode access
switchport access vlan 20

interface g0/1
switchport mode trunk
switchport trunk allowed vlan 16-18

int vlan31
ip address 10.31.10.1 255.255.0.0
-----------------------------------------
=========================================
==AS-T==
--Default-gateway--
ip default-gateway 10.31.0.1
-----------------------------------------
--Interfaces--
int range fa0/1-24
switchport mode access
switchport access vlan 19

interface g0/2
switchport mode trunk
switchport trunk allowed vlan 19,31

interface vlan 31
ip address 10.31.10.11 255.255.0.0
no sh

 

 

Gerelateerde afbeelding
==========================================================================================================================================================================================

=======================================================================================================================================================================================================================================================================================

 

TO TO TO TO

 

VPN-conf

encr = [aes]

crypto isakmp key [prestina] address [120.0.0 .10]

crypto ipsec transform-set [VPN-set] esp-3des esp-sha-hmac

crypto map [VPN-MAP] 10 ipsec-isakmp

set peer [120.0.0.10]

set transform-set [VPN-SET]

match address [110]

Interface [fast ethernet]

Crypto map [VPN MAP]

=====================

access-list 110 [permit ip 172.16.0.0 0.15.255.255 10.0.0.0.0.255.255.255]

access-list 101 [deny ip 172.16.0.0 0.15.255.255 10.0.0.0.255.255.255]

[access-list 101 permit ip 172.16.0.0.0 0.15.255.255 any]

ip nat inside source list 101 interface fastethernet 0/1 overload]

=======

[2] x switch l2
[3] x switch l3
[1] x router
[4] x server

=============

server dn = 10.18.50.1/16
t server = 10.19.50.1/16

=====

Vlan [18] 10.18.0.1 | 10.18.100.1 | [30]
Vlan [19] 10.19.0.1 | 10.19.100.1 | [30]
Vlan 31 10.31.0.1 [30]

====

brand, type Cisco [2811]

====

interfaces:

fast ethernet0/0 ip 120.0.0.1/16
ip nat [inside]

fastethernet0/1 IP 120.0.0.10/8
ip nat [inside]

===

VPN-conf

encr [aes]

crypto isakmp key [prestina] address [100.0.0.10]

crypto ipsec transform-set [VPN-SET] esp-3des esp-sha-hmac

crypto map [VPN-MAP] 10 ipsec-isakmp

set peer [100.0.0.10]

set transform-set [VPN-set]

match address [110]

interface [FastEthernet0/1]

crypto map [vpn-map]

=========

VPN-access-list:

access-list 110 [permit ip 10.10.0.0 0.0.255.255 172.13.0.0 0.0.255.255]

access-list 110 permit ip 10.16.0.0 0.15.255.255 172.31.0.0 0.0.255.255]

access-list 110 permit ip 10.31.0.0.0.0.255.255 172.16.0.0 0.15.255.255]

access-list 110 permit ip host 10.16.50.1 host 172.16.50.1

access-list 110 permit ip host 10.19.50.1 host 172.19.50.1

=========

NAT-access list:

access-list 101 [deny ip 10.10.0.0 0.0.255.255 172.31.0.0 0.0.255.255]

access-list 101 [deny ip 10.16.0.0 0.15.255.255 172.31.0.0 0.0.255.255]

access-list 101 [deny ip 10.31.0.0 0.0.255.255 172.16.0.0 0.15.255.255]

access-list 101 deny ip host 10.16.50.1 host 172.16.50.1

access-list 101 deny ip 10.19.0.0 0.0.255.255 any

access-list 101 deny ip 10.10.0.0 0.0.255.255 any

access-list 101 deny ip 10.16.0.0 0.15.255.255 any

==========

nat-access-list [source list 101 interface fastethernet0/1 overload]

===

routing

Default route instellen: ip route 10.16.0.0 255.240.0.0 10.10.0.2

Routes(s) naar VLAN's inste!!en : 0.0.0.0 0.0.0.0 FastEthernet0/1

======

distributieswitch

vtp mode: server

==========

interface

mode & vlans

[F0/1-6] mode access vlan 16
[F0/7-8] mode access Vlan 17
[F0/9-10] mode access vlan 18

[F0/11-12] mode access Vlan 19
[F0/13-14] mode access vlan 20
[F0/15-16] mode access vlan 31
[F0/17-23: mode access vlan 88, shutdown

[F0/24: Mode access trunk, allowed vlan(s) 17-18,20,31
[G0/1: Mode access ip 10.10.0.2/16
[G0/2: Mode access trunk, allowed vlans 19,31
lnterface(s) Vlan16: Mode access IP:10.16.0.1/16
lnterface(s) Vlan17: Mode access IP:10.17.0.1/16
intertfaces vlan 18: mode access ip 10.18.0.1/16
interfaces vlan 19: mode access ip 10.19.0.1/16
interfaces vlan 20: mode access ip 10.20.0.1/16
interfaces vlan 31: mode access ip 10.31.0.1/16

interface(s) interface 17 ip helper-address: IP:10.16.50.1
interface(s) interface 18 ip helper-address: IP:10.16.50.1
interface(s) interface 13 ip helper-address: IP:10.16.50.1

=========

Ip-addressen

Interface G0/1: IP:10.10.0.2 /16

interface vlan 16: IP: 10.16.0.1/16
interface vlan 17: IP: 10.17.0.1/16
interface vlan 18: IP: 10.18.0.1/16
interface vlan 31: IP: 10.31.0.1/16
????

====

DHCP REQUESTS to DHCP SERVER

???

==========

routing

[ip routing]

ip route 0.0.0.0 0.0.0.0. 10.10.0.1

=========

access-lists 117

access-list 117 [permit udp any any eq bootps]

access-list 117 [deny ip 10.17.0.0 0.0.255.255 10.18.0.0 0.0.255.255]

access-list 117 [deny.ip 10.17.0.0 0.0.255.255 10.1.0.0 0.0.255.255]

access-list 117 remark 3: Permit overig verkeer vanaf vlan 17

access-list 117 [permit ip 10.17.0.0 0.0.255.255 any]

interface [VLAN 17]

IP-access-group 117 in

=====================

access-list 119

[Geef detoets-server-alleen toegang tot:
~ De toets-server in Bbroek
Ó Het beheer-VLAN in Bennebroe~
o Het beheer-VLAN in A
• Maak van toepassing op de juiste interface
=============================

access switch leslokalen

Merk, type:Cisco 2960
Hostname:AS01
VTP mode:[client]

===============

default gateway: 10.31.0.1
========================

interfaces trunk, allowed vlans [19,31]

vlan 31 IP: [10.31.10.1/16]

==========

ap sn

ssid prestina studenten
authen wpa2
preshared key student-prestina

AP DN

ssid prestina docenten
authen wpa 2
preshared key docentprestina99873

==============

printers

01 ptr01 10.20.20.1] [10.20.0.1]
02 ptr02 10.20.20.2) 10.20.0.1)
toetsing ptr-t [10.19.20.1) [10.19.0.1]

============

interne poorten

80 http
443 https
500 dns

externe poorten

500 isakmp
50 esp
80 http

totaal: 10.556,78

 

Hieronder vindt u de u1twerkmg van e ·s opgest
I
p tn een voor opleidingsinstituut Prestma . o·t ontwerp t e d doo passend technisch detailontwerp. 1 . t ur-ei r netwerkspecialist Perfect Network Systems in opdracht van direc e genaar K . Klooster van Prestina. Het ontwerp is . eel ontwerp een vervolg op het goedgekeurde function · . B nnebroek moet Wo d . d" Het netwerk van de bestaande locatie e r en aangepast om een VPN-verbm mg met de locatie Alkmaar mogelijk te maken. Via die verbinding kunnen de beheerders over en weer beheertaken uitvoeren en kunnen de toetsservers met elkaar communiceren. Het netwerk van de nieuwe locatie Alkmaar wordt geheel nieuw ontworpen.
2

 

internet- en firewallbeveiliging

Vanaf de computers en de server in het toetslokaal is er geen toegang tot andere netwerken buiten het toetslokaal. De server en 

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents