• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 501
  • Last Modified:

Connect to Cisco 3560 from inside a SSH session in an ASA5510

While in a SSH session of my ASA 5510 I want to ssh/telnet into my switch on the same network from that session.

So, I pull up "putty.exe," ssh into my asa 5510, now I am inside my ASA 5510 and can see my config, etc.,  from here, this window, I want to call up my Cisco 3560 Layer 3 switch so I can make change on its config.

How can this be done?  Thanks.
0
Adam D
Asked:
Adam D
  • 3
  • 3
1 Solution
 
Don JohnstonInstructorCommented:
It can't.  Most firewalls don't have telnet or ssh clients.
0
 
Adam DIT Solutions DeveloperAuthor Commented:
Is there no way to do it?
0
 
rauenpcCommented:
The only option to go "through" the ASA to ssh in to your switch would be to setup client vpn access so that you can connect to the ASA via VPN, and then SSH directly to the switch.

Or you should setup a NAT/PAT to pass ssh through the asa, but the VPN option is much better and more secure. Plus the VPN allows you to do a lot more than just SSH.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
Adam DIT Solutions DeveloperAuthor Commented:
Thanks rauenpc.

Actually that would not help my situation (plus I already have multiple VPN tunnels and other good stuff. :)).

Here is my situation:

I have two ASA5510 firewalls connected to two different ISPs.  I currently do NOT have a dual WAN router to handle failover.

What I would like to be able to do while waiting to obtain the router I need is get to my internal switch from outside on the secondary ISP when the primary ISP fails.  I can then change the default route to point to the secondary firewall so internet traffic can resume until the primary is back online.

Currently I need to physically be at the office to make this modification.

In the alternative if I can setup two default routes with different metrics in the Cisco 3560 switch that would work as well.

Thoughts?  Thanks.
0
 
rauenpcCommented:
You can setup a PAT to use the secondary ISP regardless of which connection is up/down. You would have to translate the port so that you could, for example, SSH to port 8022 on the backup internet interface which would translate to the inside interface of the firewall and change the destination to the switch.

The overall alternate to your situation would be to enable a dynamic routing protocol so that your ASA's could tell your 3560 if the default route was available. You would also need to configure an SLA on the primary firewall in order to add/remove the default route which would then affect dynamic routing advertisements.
0
 
Adam DIT Solutions DeveloperAuthor Commented:
That is a very interesting idea. :)

Unfortunately I am not an expert ASA coder, can you provide an example of the code I would use in ios 8.2(5) that would allow this to happen.  Assume a public IP of 167.1.1.1 on the secondary ISP that is connected to my secondary firewall and an internal IP address of the switch of 172.1.1.1

If you could also provide coding for the dynamic routing protocol (assuming it works on ios 8.2(x)) that would be great as well.

Thanks.
0
 
rauenpcCommented:
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/A_8612-ASA-5510-Dual-ISP-Outbound-Failover.html

This goes over how to configure dual ISP on a single ASA. For you, this is not quite the answer, but it has the key pieces of the puzzle. You would need to configure the SLA and the default route with the track statement (but not the high metric backup default route on the primary asa).

You would need to configure RIP/EIGRP (EIGRP is better) on the firewall and 3560, and the only real requirement would be to pass the default route to the 3560.

firewall
router eigrp 10
no auto
network 172.1.1.0 0.0.0.255
redistribute static (this will pass the default route)

3560
router eigrp 10
no auto
network 172.1.1.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 172.1.1.x 250
x being the IP of the secondary ASA


This should accomplish what you want or at least get you pretty close. The 3560 should receive a default route from the primary asa as long as the internet connection is up, and if it's down the 3560 will fall back to the high metric default route pointed at the secondary asa.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now