sgiurgeu
asked on
ssh through vpn on asa5505
I have an asa5505 configured to allow ssh from select hosts on the internet to specific hosts on the LAN. That works well. The firewall is also configured to allow client based VPN connections, and that works well, also. The appliance is also configured to allow ssh connections to itself from inside. It works.
I can't figure it out how to allow ssh connections to the appliance from the VPN clients.
To summarize:
LAN: 192.168.2.0
VPN pool: 192.168.30.1 - 192.168.30.10
port 22 on the outside interface is mapped to a (*nix) host on the LAN
on ASA, I have: ssh 192.168.2.0 255.255.255.0 inside
I can successfully ssh from the internal (*nix) host to ASA
I can successfully ssh from outside through ASA to the internal (*nix) host
I can successfully establish a VPN connection to the ASA
Keeping all the above in place, I want to be able to ssh into ASA from a specific host outside, through the VPN or not (doesn't matter). In other words, my only way to ssh into the appliance at the moment from outside is to ssh first into the internal host and from there back to ASA. I'm worried that if the internal host is unavailable I'm cut out from the appliance.
tx,
I can't figure it out how to allow ssh connections to the appliance from the VPN clients.
To summarize:
LAN: 192.168.2.0
VPN pool: 192.168.30.1 - 192.168.30.10
port 22 on the outside interface is mapped to a (*nix) host on the LAN
on ASA, I have: ssh 192.168.2.0 255.255.255.0 inside
I can successfully ssh from the internal (*nix) host to ASA
I can successfully ssh from outside through ASA to the internal (*nix) host
I can successfully establish a VPN connection to the ASA
Keeping all the above in place, I want to be able to ssh into ASA from a specific host outside, through the VPN or not (doesn't matter). In other words, my only way to ssh into the appliance at the moment from outside is to ssh first into the internal host and from there back to ASA. I'm worried that if the internal host is unavailable I'm cut out from the appliance.
tx,
Ernie Beek
Do you have something like: ssh source_IP_address mask source_interface in the config (shoulde be atleast one). The second should have source_IP_address mask as the address where you're coming from on the outside (the VPN ip) and source_interface should be the outside interface.
So something like: ssh 192.168.30.0 255.255.255.240 outside
ASKER
in my posting, i mentioned that i have:
ssh 192.168.2.0 255.255.255.0 inside
I cannot add a similar statement for the outside interface since port 22 is mapped to an internal host. This is also document in my original posting.
ssh 192.168.2.0 255.255.255.0 inside
I cannot add a similar statement for the outside interface since port 22 is mapped to an internal host. This is also document in my original posting.
Reading too fast :-~
So port 22 is mapped using the public address on the outside interface and you only have one public ip?
So port 22 is mapped using the public address on the outside interface and you only have one public ip?
ASKER
that is correct.
i guess my only way around this would be to map an arbitrary port, say 2222 from outside. Would that work?
i guess my only way around this would be to map an arbitrary port, say 2222 from outside. Would that work?
That could be an option.
I'm trying to remember something. If you are connected through the vpn and then try to ssh to the inside ip of the ASA, does that work?
I'm trying to remember something. If you are connected through the vpn and then try to ssh to the inside ip of the ASA, does that work?
You might want to add: ssh 192.168.30.0 255.255.255.240 inside though.
ASKER
I've already tried that (ssh-ing through vpn). adding ssh 192.168.30.0 255.255.255.240 inside doesn't work (I tried it) for the obvious reason that the vpn clients are considered (by asa) as belonging to the outside interface.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That worked!!
I put:
asa(config)# ssh 192.168.30.0 255.255.255.0 inside
asa(config)# management-access inside
and now i can shh into the appliance after establishing the vpn connection.
Case closed. Thank you for your help.
I put:
asa(config)# ssh 192.168.30.0 255.255.255.0 inside
asa(config)# management-access inside
and now i can shh into the appliance after establishing the vpn connection.
Case closed. Thank you for your help.
You're welcome :) Glad I could help.