?
Solved

Connect to Cisco 3560 from inside a SSH session in an ASA5510

Posted on 2013-06-16
7
Medium Priority
?
498 Views
Last Modified: 2013-07-18
While in a SSH session of my ASA 5510 I want to ssh/telnet into my switch on the same network from that session.

So, I pull up "putty.exe," ssh into my asa 5510, now I am inside my ASA 5510 and can see my config, etc.,  from here, this window, I want to call up my Cisco 3560 Layer 3 switch so I can make change on its config.

How can this be done?  Thanks.
0
Comment
Question by:Adam D
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39251901
It can't.  Most firewalls don't have telnet or ssh clients.
0
 
LVL 1

Author Comment

by:Adam D
ID: 39252061
Is there no way to do it?
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39252984
The only option to go "through" the ASA to ssh in to your switch would be to setup client vpn access so that you can connect to the ASA via VPN, and then SSH directly to the switch.

Or you should setup a NAT/PAT to pass ssh through the asa, but the VPN option is much better and more secure. Plus the VPN allows you to do a lot more than just SSH.
0
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

 
LVL 1

Author Comment

by:Adam D
ID: 39253014
Thanks rauenpc.

Actually that would not help my situation (plus I already have multiple VPN tunnels and other good stuff. :)).

Here is my situation:

I have two ASA5510 firewalls connected to two different ISPs.  I currently do NOT have a dual WAN router to handle failover.

What I would like to be able to do while waiting to obtain the router I need is get to my internal switch from outside on the secondary ISP when the primary ISP fails.  I can then change the default route to point to the secondary firewall so internet traffic can resume until the primary is back online.

Currently I need to physically be at the office to make this modification.

In the alternative if I can setup two default routes with different metrics in the Cisco 3560 switch that would work as well.

Thoughts?  Thanks.
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39253081
You can setup a PAT to use the secondary ISP regardless of which connection is up/down. You would have to translate the port so that you could, for example, SSH to port 8022 on the backup internet interface which would translate to the inside interface of the firewall and change the destination to the switch.

The overall alternate to your situation would be to enable a dynamic routing protocol so that your ASA's could tell your 3560 if the default route was available. You would also need to configure an SLA on the primary firewall in order to add/remove the default route which would then affect dynamic routing advertisements.
0
 
LVL 1

Author Comment

by:Adam D
ID: 39253176
That is a very interesting idea. :)

Unfortunately I am not an expert ASA coder, can you provide an example of the code I would use in ios 8.2(5) that would allow this to happen.  Assume a public IP of 167.1.1.1 on the secondary ISP that is connected to my secondary firewall and an internal IP address of the switch of 172.1.1.1

If you could also provide coding for the dynamic routing protocol (assuming it works on ios 8.2(x)) that would be great as well.

Thanks.
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 1600 total points
ID: 39256154
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/A_8612-ASA-5510-Dual-ISP-Outbound-Failover.html

This goes over how to configure dual ISP on a single ASA. For you, this is not quite the answer, but it has the key pieces of the puzzle. You would need to configure the SLA and the default route with the track statement (but not the high metric backup default route on the primary asa).

You would need to configure RIP/EIGRP (EIGRP is better) on the firewall and 3560, and the only real requirement would be to pass the default route to the 3560.

firewall
router eigrp 10
no auto
network 172.1.1.0 0.0.0.255
redistribute static (this will pass the default route)

3560
router eigrp 10
no auto
network 172.1.1.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 172.1.1.x 250
x being the IP of the secondary ASA


This should accomplish what you want or at least get you pretty close. The 3560 should receive a default route from the primary asa as long as the internet connection is up, and if it's down the 3560 will fall back to the high metric default route pointed at the secondary asa.
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question