Solved

Connect to Cisco 3560 from inside a SSH session in an ASA5510

Posted on 2013-06-16
7
495 Views
Last Modified: 2013-07-18
While in a SSH session of my ASA 5510 I want to ssh/telnet into my switch on the same network from that session.

So, I pull up "putty.exe," ssh into my asa 5510, now I am inside my ASA 5510 and can see my config, etc.,  from here, this window, I want to call up my Cisco 3560 Layer 3 switch so I can make change on its config.

How can this be done?  Thanks.
0
Comment
Question by:Adam D
  • 3
  • 3
7 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39251901
It can't.  Most firewalls don't have telnet or ssh clients.
0
 
LVL 1

Author Comment

by:Adam D
ID: 39252061
Is there no way to do it?
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39252984
The only option to go "through" the ASA to ssh in to your switch would be to setup client vpn access so that you can connect to the ASA via VPN, and then SSH directly to the switch.

Or you should setup a NAT/PAT to pass ssh through the asa, but the VPN option is much better and more secure. Plus the VPN allows you to do a lot more than just SSH.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:Adam D
ID: 39253014
Thanks rauenpc.

Actually that would not help my situation (plus I already have multiple VPN tunnels and other good stuff. :)).

Here is my situation:

I have two ASA5510 firewalls connected to two different ISPs.  I currently do NOT have a dual WAN router to handle failover.

What I would like to be able to do while waiting to obtain the router I need is get to my internal switch from outside on the secondary ISP when the primary ISP fails.  I can then change the default route to point to the secondary firewall so internet traffic can resume until the primary is back online.

Currently I need to physically be at the office to make this modification.

In the alternative if I can setup two default routes with different metrics in the Cisco 3560 switch that would work as well.

Thoughts?  Thanks.
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39253081
You can setup a PAT to use the secondary ISP regardless of which connection is up/down. You would have to translate the port so that you could, for example, SSH to port 8022 on the backup internet interface which would translate to the inside interface of the firewall and change the destination to the switch.

The overall alternate to your situation would be to enable a dynamic routing protocol so that your ASA's could tell your 3560 if the default route was available. You would also need to configure an SLA on the primary firewall in order to add/remove the default route which would then affect dynamic routing advertisements.
0
 
LVL 1

Author Comment

by:Adam D
ID: 39253176
That is a very interesting idea. :)

Unfortunately I am not an expert ASA coder, can you provide an example of the code I would use in ios 8.2(5) that would allow this to happen.  Assume a public IP of 167.1.1.1 on the secondary ISP that is connected to my secondary firewall and an internal IP address of the switch of 172.1.1.1

If you could also provide coding for the dynamic routing protocol (assuming it works on ios 8.2(x)) that would be great as well.

Thanks.
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 400 total points
ID: 39256154
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/A_8612-ASA-5510-Dual-ISP-Outbound-Failover.html

This goes over how to configure dual ISP on a single ASA. For you, this is not quite the answer, but it has the key pieces of the puzzle. You would need to configure the SLA and the default route with the track statement (but not the high metric backup default route on the primary asa).

You would need to configure RIP/EIGRP (EIGRP is better) on the firewall and 3560, and the only real requirement would be to pass the default route to the 3560.

firewall
router eigrp 10
no auto
network 172.1.1.0 0.0.0.255
redistribute static (this will pass the default route)

3560
router eigrp 10
no auto
network 172.1.1.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 172.1.1.x 250
x being the IP of the secondary ASA


This should accomplish what you want or at least get you pretty close. The 3560 should receive a default route from the primary asa as long as the internet connection is up, and if it's down the 3560 will fall back to the high metric default route pointed at the secondary asa.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question