Solved

ssh through vpn on asa5505

Posted on 2011-09-14
11
1,047 Views
Last Modified: 2012-05-12
I have an asa5505 configured to allow ssh from select hosts on the internet to specific hosts on the LAN. That works well. The firewall is also configured to allow client based VPN connections, and that works well, also. The appliance is also configured to allow ssh connections to itself from inside. It works.

I can't figure it out how to allow ssh connections to the appliance from the VPN clients.

To summarize:
LAN: 192.168.2.0
VPN pool: 192.168.30.1 - 192.168.30.10
port 22 on the outside interface is mapped to a (*nix) host on the LAN
on ASA, I have: ssh 192.168.2.0 255.255.255.0 inside

I can successfully ssh from the internal (*nix) host to ASA
I can successfully ssh from outside through ASA to the internal (*nix) host
I can successfully establish a VPN connection to the ASA

Keeping all the above in place, I want to be able to ssh into ASA from a specific host outside, through the VPN or not (doesn't matter). In other words, my only way to ssh into the appliance at the moment from outside is to ssh first into the internal host and from there back to ASA. I'm worried that if the internal host is unavailable I'm cut out from the appliance.

tx,
0
Comment
Question by:sgiurgeu
  • 7
  • 4
11 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36536327
Do you have something like: ssh source_IP_address mask source_interface in the config (shoulde be atleast one). The second should have source_IP_address mask as the address where you're coming from on the outside (the VPN ip) and source_interface should be the outside interface.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36536339
So something like: ssh 192.168.30.0 255.255.255.240 outside
0
 

Author Comment

by:sgiurgeu
ID: 36536343
in my posting, i mentioned that i have:

ssh 192.168.2.0 255.255.255.0 inside

I cannot add a similar statement for the outside interface since port 22 is mapped to an internal host. This is also document in my original posting.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36536358
Reading too fast :-~

So port 22 is mapped using the public address on the outside interface and you only have one public ip?
0
 

Author Comment

by:sgiurgeu
ID: 36536384
that is correct.

i guess my only way around this would be to map an arbitrary port, say 2222 from outside. Would that work?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36536402
That could be an option.

I'm trying to remember something. If you are connected through the vpn and then try to ssh to the inside ip of the ASA, does that work?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36536409
You might want to add: ssh 192.168.30.0 255.255.255.240 inside though.
0
 

Author Comment

by:sgiurgeu
ID: 36536518
I've already tried that (ssh-ing through vpn). adding ssh 192.168.30.0 255.255.255.240 inside doesn't work (I tried it) for the obvious reason that the vpn clients are considered (by asa) as belonging to the outside interface.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 36536569
I know, it isn't very logical but that should work normally (ssh through the vpn to the inside interface).

Do you have management-access inside somewhere in your config? If not, try adding that.
0
 

Author Comment

by:sgiurgeu
ID: 36536700
That worked!!

I put:

asa(config)# ssh 192.168.30.0 255.255.255.0 inside
asa(config)# management-access inside

and now i can shh into the appliance after establishing the vpn connection.

Case closed. Thank you for your help.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36536712
You're welcome :) Glad I could help.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now