Adam D
asked on
Connect to Cisco 3560 from inside a SSH session in an ASA5510
While in a SSH session of my ASA 5510 I want to ssh/telnet into my switch on the same network from that session.
So, I pull up "putty.exe," ssh into my asa 5510, now I am inside my ASA 5510 and can see my config, etc., from here, this window, I want to call up my Cisco 3560 Layer 3 switch so I can make change on its config.
How can this be done? Thanks.
So, I pull up "putty.exe," ssh into my asa 5510, now I am inside my ASA 5510 and can see my config, etc., from here, this window, I want to call up my Cisco 3560 Layer 3 switch so I can make change on its config.
How can this be done? Thanks.
Don Johnston
It can't. Most firewalls don't have telnet or ssh clients.
ASKER
Is there no way to do it?
The only option to go "through" the ASA to ssh in to your switch would be to setup client vpn access so that you can connect to the ASA via VPN, and then SSH directly to the switch.
Or you should setup a NAT/PAT to pass ssh through the asa, but the VPN option is much better and more secure. Plus the VPN allows you to do a lot more than just SSH.
Or you should setup a NAT/PAT to pass ssh through the asa, but the VPN option is much better and more secure. Plus the VPN allows you to do a lot more than just SSH.
ASKER
Thanks rauenpc.
Actually that would not help my situation (plus I already have multiple VPN tunnels and other good stuff. :)).
Here is my situation:
I have two ASA5510 firewalls connected to two different ISPs. I currently do NOT have a dual WAN router to handle failover.
What I would like to be able to do while waiting to obtain the router I need is get to my internal switch from outside on the secondary ISP when the primary ISP fails. I can then change the default route to point to the secondary firewall so internet traffic can resume until the primary is back online.
Currently I need to physically be at the office to make this modification.
In the alternative if I can setup two default routes with different metrics in the Cisco 3560 switch that would work as well.
Thoughts? Thanks.
Actually that would not help my situation (plus I already have multiple VPN tunnels and other good stuff. :)).
Here is my situation:
I have two ASA5510 firewalls connected to two different ISPs. I currently do NOT have a dual WAN router to handle failover.
What I would like to be able to do while waiting to obtain the router I need is get to my internal switch from outside on the secondary ISP when the primary ISP fails. I can then change the default route to point to the secondary firewall so internet traffic can resume until the primary is back online.
Currently I need to physically be at the office to make this modification.
In the alternative if I can setup two default routes with different metrics in the Cisco 3560 switch that would work as well.
Thoughts? Thanks.
You can setup a PAT to use the secondary ISP regardless of which connection is up/down. You would have to translate the port so that you could, for example, SSH to port 8022 on the backup internet interface which would translate to the inside interface of the firewall and change the destination to the switch.
The overall alternate to your situation would be to enable a dynamic routing protocol so that your ASA's could tell your 3560 if the default route was available. You would also need to configure an SLA on the primary firewall in order to add/remove the default route which would then affect dynamic routing advertisements.
The overall alternate to your situation would be to enable a dynamic routing protocol so that your ASA's could tell your 3560 if the default route was available. You would also need to configure an SLA on the primary firewall in order to add/remove the default route which would then affect dynamic routing advertisements.
ASKER
That is a very interesting idea. :)
Unfortunately I am not an expert ASA coder, can you provide an example of the code I would use in ios 8.2(5) that would allow this to happen. Assume a public IP of 167.1.1.1 on the secondary ISP that is connected to my secondary firewall and an internal IP address of the switch of 172.1.1.1
If you could also provide coding for the dynamic routing protocol (assuming it works on ios 8.2(x)) that would be great as well.
Thanks.
Unfortunately I am not an expert ASA coder, can you provide an example of the code I would use in ios 8.2(5) that would allow this to happen. Assume a public IP of 167.1.1.1 on the secondary ISP that is connected to my secondary firewall and an internal IP address of the switch of 172.1.1.1
If you could also provide coding for the dynamic routing protocol (assuming it works on ios 8.2(x)) that would be great as well.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.