Enable externar SSH with CISCO ASA 5505

Unanswered Question
Oct 24th, 2007
User Badges:

Hi all,


I have to enable SSH and HTTPS in a CISCO ASA 5505. SSH and HTTPS must accept request only fron certain addresses of the WAN.


How can I do it?

Thanks in advance,

Simone Spagna

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Wed, 10/24/2007 - 05:22
User Badges:
  • Blue, 1500 points or more

you can't. if you have some sort of filtering device in front of the asa, you can do it there, otherwise no.

sspagnamantova Thu, 10/25/2007 - 06:04
User Badges:

The complete situation is: My ASA is on a private network, say 10.10.10.0/24. Trough the ASA IP (say 10.10.10.10) is routed a public network (say 89.100.100.64/28).

The internal network is natted as 192.168.0.0/24.

I'm able to static nat some public ip to some internal machine/port, to access it from the Internet.

I would be able to access my ASA console (SSH and HTTPS) as, say 89.100.100.69 and access it trough the Internat.

Is there any way to obtain this?

Thank you

Simone

mherald Thu, 10/25/2007 - 06:20
User Badges:

I am just guessing here and do not have the equipment to try this out.

Just to access the ASDM or command line, entering http or ssh IP address /32 should get you access.

However to access the Management Console, provided you have set up contexts and the Management IP has a Public NAT, with the right rules, you should be able to access that IP as well.


Mike

sspagnamantova Fri, 10/26/2007 - 02:21
User Badges:

I didn't set up contexts and I prefer not to, if it's not stritly required (by the way, I tried to list contexts, but I got an error - command not found - is ASA 5505 capable of managing contexts?).

The problem with your answer is to know what are the rihgt rules. I tried a lot but none worked.

Simone

pjhenriqs Thu, 10/25/2007 - 07:49
User Badges:

I am not sure if I understand but why don't you just allow SSH and HTTPS access to the outside interface of the ASA? Your outside interface can be accessed from the Internet so...


If you specify which hosts can access the ASA wouldn't this do what you want?


For example:


http outside

ssh outside


I apologize if I am not understanding your problem correctly.


Hope it helps.

sspagnamantova Fri, 10/26/2007 - 09:28
User Badges:

the address of the ASA is on a private network (I wrote 10.10.10.10), so is not reachable from the Internet.

On the private address is routed by the provider a public subnet (I wrote 89.100.100.64/28).

If I configure the ASA, I can route the subnet on an interface and (if the access rules are correct) connect machines on the public network on that interface, access them from the Internet an access Internet from that machines.

Also, the ASA is assigned a pubblic address on that interface but, as the packets arrive form internal routing and not from the interface, I can't access the SSH and HTTPS from the Internet (I cound only from the machines connected to the interface).


Actions

This Discussion