Solved

Connect to Cisco 3560 from inside a SSH session in an ASA5510

Posted on 2013-06-16
7
491 Views
Last Modified: 2013-07-18
While in a SSH session of my ASA 5510 I want to ssh/telnet into my switch on the same network from that session.

So, I pull up "putty.exe," ssh into my asa 5510, now I am inside my ASA 5510 and can see my config, etc.,  from here, this window, I want to call up my Cisco 3560 Layer 3 switch so I can make change on its config.

How can this be done?  Thanks.
0
Comment
Question by:adrobnis
  • 3
  • 3
7 Comments
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
It can't.  Most firewalls don't have telnet or ssh clients.
0
 
LVL 1

Author Comment

by:adrobnis
Comment Utility
Is there no way to do it?
0
 
LVL 20

Expert Comment

by:rauenpc
Comment Utility
The only option to go "through" the ASA to ssh in to your switch would be to setup client vpn access so that you can connect to the ASA via VPN, and then SSH directly to the switch.

Or you should setup a NAT/PAT to pass ssh through the asa, but the VPN option is much better and more secure. Plus the VPN allows you to do a lot more than just SSH.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 1

Author Comment

by:adrobnis
Comment Utility
Thanks rauenpc.

Actually that would not help my situation (plus I already have multiple VPN tunnels and other good stuff. :)).

Here is my situation:

I have two ASA5510 firewalls connected to two different ISPs.  I currently do NOT have a dual WAN router to handle failover.

What I would like to be able to do while waiting to obtain the router I need is get to my internal switch from outside on the secondary ISP when the primary ISP fails.  I can then change the default route to point to the secondary firewall so internet traffic can resume until the primary is back online.

Currently I need to physically be at the office to make this modification.

In the alternative if I can setup two default routes with different metrics in the Cisco 3560 switch that would work as well.

Thoughts?  Thanks.
0
 
LVL 20

Expert Comment

by:rauenpc
Comment Utility
You can setup a PAT to use the secondary ISP regardless of which connection is up/down. You would have to translate the port so that you could, for example, SSH to port 8022 on the backup internet interface which would translate to the inside interface of the firewall and change the destination to the switch.

The overall alternate to your situation would be to enable a dynamic routing protocol so that your ASA's could tell your 3560 if the default route was available. You would also need to configure an SLA on the primary firewall in order to add/remove the default route which would then affect dynamic routing advertisements.
0
 
LVL 1

Author Comment

by:adrobnis
Comment Utility
That is a very interesting idea. :)

Unfortunately I am not an expert ASA coder, can you provide an example of the code I would use in ios 8.2(5) that would allow this to happen.  Assume a public IP of 167.1.1.1 on the secondary ISP that is connected to my secondary firewall and an internal IP address of the switch of 172.1.1.1

If you could also provide coding for the dynamic routing protocol (assuming it works on ios 8.2(x)) that would be great as well.

Thanks.
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 400 total points
Comment Utility
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/A_8612-ASA-5510-Dual-ISP-Outbound-Failover.html

This goes over how to configure dual ISP on a single ASA. For you, this is not quite the answer, but it has the key pieces of the puzzle. You would need to configure the SLA and the default route with the track statement (but not the high metric backup default route on the primary asa).

You would need to configure RIP/EIGRP (EIGRP is better) on the firewall and 3560, and the only real requirement would be to pass the default route to the 3560.

firewall
router eigrp 10
no auto
network 172.1.1.0 0.0.0.255
redistribute static (this will pass the default route)

3560
router eigrp 10
no auto
network 172.1.1.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 172.1.1.x 250
x being the IP of the secondary ASA


This should accomplish what you want or at least get you pretty close. The 3560 should receive a default route from the primary asa as long as the internet connection is up, and if it's down the 3560 will fall back to the high metric default route pointed at the secondary asa.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now