Solved

Connect to Cisco 3560 from inside a SSH session in an ASA5510

Posted on 2013-06-16
7
496 Views
Last Modified: 2013-07-18
While in a SSH session of my ASA 5510 I want to ssh/telnet into my switch on the same network from that session.

So, I pull up "putty.exe," ssh into my asa 5510, now I am inside my ASA 5510 and can see my config, etc.,  from here, this window, I want to call up my Cisco 3560 Layer 3 switch so I can make change on its config.

How can this be done?  Thanks.
0
Comment
Question by:Adam D
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39251901
It can't.  Most firewalls don't have telnet or ssh clients.
0
 
LVL 1

Author Comment

by:Adam D
ID: 39252061
Is there no way to do it?
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39252984
The only option to go "through" the ASA to ssh in to your switch would be to setup client vpn access so that you can connect to the ASA via VPN, and then SSH directly to the switch.

Or you should setup a NAT/PAT to pass ssh through the asa, but the VPN option is much better and more secure. Plus the VPN allows you to do a lot more than just SSH.
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 1

Author Comment

by:Adam D
ID: 39253014
Thanks rauenpc.

Actually that would not help my situation (plus I already have multiple VPN tunnels and other good stuff. :)).

Here is my situation:

I have two ASA5510 firewalls connected to two different ISPs.  I currently do NOT have a dual WAN router to handle failover.

What I would like to be able to do while waiting to obtain the router I need is get to my internal switch from outside on the secondary ISP when the primary ISP fails.  I can then change the default route to point to the secondary firewall so internet traffic can resume until the primary is back online.

Currently I need to physically be at the office to make this modification.

In the alternative if I can setup two default routes with different metrics in the Cisco 3560 switch that would work as well.

Thoughts?  Thanks.
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39253081
You can setup a PAT to use the secondary ISP regardless of which connection is up/down. You would have to translate the port so that you could, for example, SSH to port 8022 on the backup internet interface which would translate to the inside interface of the firewall and change the destination to the switch.

The overall alternate to your situation would be to enable a dynamic routing protocol so that your ASA's could tell your 3560 if the default route was available. You would also need to configure an SLA on the primary firewall in order to add/remove the default route which would then affect dynamic routing advertisements.
0
 
LVL 1

Author Comment

by:Adam D
ID: 39253176
That is a very interesting idea. :)

Unfortunately I am not an expert ASA coder, can you provide an example of the code I would use in ios 8.2(5) that would allow this to happen.  Assume a public IP of 167.1.1.1 on the secondary ISP that is connected to my secondary firewall and an internal IP address of the switch of 172.1.1.1

If you could also provide coding for the dynamic routing protocol (assuming it works on ios 8.2(x)) that would be great as well.

Thanks.
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 400 total points
ID: 39256154
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/A_8612-ASA-5510-Dual-ISP-Outbound-Failover.html

This goes over how to configure dual ISP on a single ASA. For you, this is not quite the answer, but it has the key pieces of the puzzle. You would need to configure the SLA and the default route with the track statement (but not the high metric backup default route on the primary asa).

You would need to configure RIP/EIGRP (EIGRP is better) on the firewall and 3560, and the only real requirement would be to pass the default route to the 3560.

firewall
router eigrp 10
no auto
network 172.1.1.0 0.0.0.255
redistribute static (this will pass the default route)

3560
router eigrp 10
no auto
network 172.1.1.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 172.1.1.x 250
x being the IP of the secondary ASA


This should accomplish what you want or at least get you pretty close. The 3560 should receive a default route from the primary asa as long as the internet connection is up, and if it's down the 3560 will fall back to the high metric default route pointed at the secondary asa.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Automated backups of ASA's and Nexus (5k and 7K) 24 133
ASA 5505 latency problem 8 64
VLAN Overused monitor 4 51
VTP servers with 3650 switches 5 46
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question